Cybersecurity researchers have discovered a new Android remote access trojan (RAT). Bingo Mod Not only can they carry out fraudulent money transfers from compromised devices, but they can also wipe the device to remove any traces of the malware.
Italian cybersecurity firm Cleafy, which discovered the RAT in late May 2024, said the malware is currently under development. The firm noted that Romanian-language comments in the source code of early versions suggest the Android Trojan likely comes from a Romanian-speaking threat actor.
“BingoMod belongs to the latest RAT generation of mobile malware, as its remote access capabilities allow threat actors (TAs) to perform account takeover (ATO) directly from the infected device and exploit on-device deception (ODF) techniques,” said researchers Alessandro Storino and Simone Mattia.
It is worth mentioning here that this technique has also been observed in other Android banking Trojans such as Medusa (aka TangleBot), Copybara, and TeaBot (aka Anatsa).
BingoMod, like BRATA, also stands out in that it employs a self-destruct mechanism designed to remove all evidence of unauthorized transfers on the infected device, thwarting forensic analysis. This functionality is limited to the device’s external storage, but it is suspected that the remote access capabilities can be used to initiate a full factory reset.
Some of the identified apps pose as antivirus tools or Google Chrome updates. Once installed, the apps ask the user for accessibility service permission and use it to initiate malicious actions.
This involves executing the main payload to lock the user out of the main screen, collecting device information and exfiltrating it to an attacker-controlled server, and abusing the Accessibility Services API to steal sensitive information displayed on the screen (such as credentials and bank account balances) and grant itself permission to intercept SMS messages.
To initiate money transfers directly from a compromised device, BingoMod establishes a socket-based connection with its command and control infrastructure (C2) and uses Android’s Media Projection API to take screenshots and remotely receive up to 40 commands to interact with the device in real time.
This also means that rather than leveraging automated transfer systems (ATS) to carry out large-scale financial fraud, ODF technology relies on live operators to carry out transfers of up to €15,000 (approximately $16,100) per transaction.
Another key aspect is the threat actors’ use of code obfuscation techniques to evade detection and their focus on the ability to uninstall any app from a compromised device, indicating that the malware authors prioritize simplicity over advanced functionality.
“In addition to real-time screen control, the malware also has phishing capabilities through overlay attacks and fake notifications,” the researchers said. “Usually, overlay attacks are not triggered when a specific targeted app is opened, but are instead directly initiated by the malware operators.”
