BingoMod Banking Trojan
Cybersecurity researchers have discovered a new Android Remote Access Trojan (RAT) named BingoMod. This malware facilitates fraudulent money transfers from infected devices and wipes them to eliminate traces of its presence.
Uncovered in late May 2024, BingoMod is thought to be actively under development. The Trojan is likely linked to a Romanian-speaking threat actor, as early versions of the source code contain comments written in Romanian.
Table of Contents
The Threatening Capabilities of the BingoMod RAT
BingoMod is part of the latest mobile Remote Access Trojans (RATs) generation. Its advanced remote access capabilities enable threat actors to carry out Account Takeovers (ATOs) directly from infected devices, utilizing an on-device fraud (ODF) technique.
This method has also been seen in other Android banking trojans, such as Medusa (also known as TangleBot), Copybara and TeaBot (also known as Anatsa).
Similar to BRATA, BingoMod features a self-destruction mechanism designed to erase evidence of fraudulent transfers from the infected device, complicating forensic analysis. While this function currently affects only the device's external storage, it is suspected that the remote access capabilities could be used to initiate a full factory reset.
BingoMod Gets Inside People’s Phones Under the Guise of Seemingly Useful Applications
Some of the discovered applications disguise themselves as security tools or Google Chrome updates. After being installed through smishing tactics, the app asks the user for accessibility services permissions, which it then uses to perform harmful activities.
These activities include deploying the primary payload, locking the user out of the main screen to gather device information, and exfiltrating this data to a server controlled by the attacker. Additionally, the application exploits the accessibility services API to harvest sensitive information displayed on the screen, such as credentials and bank account balances. It grants itself permission to intercept SMS messages.
Threat Actors Operate the BingoMod RAT Directly
To carry out money transfers directly from compromised devices, BingoMod establishes a socket-based connection with its Command-and-Control (C2) infrastructure. This allows it to receive up to 40 remote commands, including taking screenshots via Android's Media Projection API and interacting with the device in real-time.
The On-Device Fraud (ODF) technique used by BingoMod requires a live operator to manually process money transfers of up to €15,000 (~$16,100) per transaction rather than using an Automated Transfer System (ATS) for large-scale financial fraud.
Additionally, the malware employs code obfuscation techniques and can uninstall arbitrary applications from the compromised device, suggesting that the authors prioritize evading detection and simplicity over advanced features.
Beyond real-time screen control, BingoMod also has phishing capabilities through Overlay Attacks and fake notifications. Unlike typical overlay attacks that are triggered when specific target aplications are opened, BingoMod initiates these attacks directly through the malware operator.
