Cybersecurity researchers have discovered a new Android Remote Access Trojan (RAT) called BingoMod which not only executes fraudulent money transfers from compromised devices, but also deletes them in an attempt to erase traces of the malware.
Italian cybersecurity firm Cleafy, which discovered the RAT in late May 2024, said the malware was under active development. He attributed the Android Trojan to a likely Romanian-speaking threat actor due to the presence of Romanian-language comments in the source code associated with early versions.
“BingoMod belongs to the current generation of mobile RAT malware, as its remote access capabilities allow threat actors (TA) to perform account takeover (ATO) directly from an infected device, thus using on-device fraud (ODF),” researchers Alessandro Stryna and Simone Mattia said.
It should be noted here that this technique has been observed in other Android banking Trojans such as Medusa (aka TangleBot), Capybaraand TeaBot (aka Anatsa).
BingoMod like BROTHER, is also distinguished by its use of a self-destruct mechanism, which is designed to remove any evidence of fraudulent transmission on an infected device in order to hinder forensic analysis. Although this feature is limited to the device’s external storage, it is suspected that the remote access features can be used to initiate a hard factory reset.
Some of the identified programs are pretending to be antivirus tools and updates for Google Chrome. Once installed, the program prompts the user to grant it accessibility service permissions, using this to initiate malicious actions.
This involves executing a basic payload and locking the user from the home screen to collect information about the device, which is then transmitted to a server controlled by the attacker. It also abuses the Accessibility Services API to steal sensitive information displayed on the screen (such as credentials and bank account balances) and authorize itself to intercept SMS messages.
To initiate money transfers directly from compromised devices, BingoMod establishes a socket-based connection with the Command and Control Infrastructure (C2) to receive up to 40 commands remotely to take screenshots using Android Media Projection API and interact with the device in real time.
This also means that the ODF technique relies on an operator performing remittances of up to €15,000 (~$16,100) per transaction, as opposed to using an automated transfer system (AUS) to commit financial fraud on a large scale.
Another important aspect is the threat actor’s emphasis on evading detection using code obfuscation techniques and the ability to remove arbitrary programs from a compromised device, indicating that malware authors prefer simplicity over advanced features.
“In addition to real-time screen monitoring, the malware demonstrates phishing capabilities through Overlay Attacks and fake notifications,” the researchers said. “Unusual, overhead attacks are not launched when specific target programs are opened, but are initiated directly by the malware operator.”
