A recently identified remote access trojan (RAT) is targeting Android users to steal their information and their money via account takeover (ATO), Cleafy reports.
Dubbed BingoMod and unrelated to known malware families, the RAT allows threat actors to initiate money transfers from the infected devices, bypassing authentication, verification, and behavioral detection protections by performing on-device fraud (ODF).
After infecting a device, the malware leverages permissions to steal user information such as SMS messages, credentials, and account details, performs overlay attacks, and provides remote access via VNC-like functionality.
Likely developed by Romanian speakers, BingoMod targets devices that use English, Romanian, and Italian.
“BingoMod is in a development phase, where developers are experimenting with obfuscation techniques to lower its detection rate against AV solutions. From the whole sample collected, what has emerged is the will to try multiple anti-analysis configurations rather than making the malware more complex in terms of functionalities,” Cleafy notes.
The malware was first identified in May 2024 and is distributed via smishing, often posing as a legitimate antivirus application. Once installed, it asks the user to enable Accessibility Services, claiming the permissions are necessary for correct functionality.
Once the permissions are granted, the malicious payload is executed and the user is locked out of the main screen while BingoMod collects device information and establishes communication with the command-and-control (C&C) server.
Running in the background, it logs keystrokes, intercepts SMS messages, and establishes a socket-based connection with the C&C, enabling the threat actors to perform roughly 40 remote operations, such as interacting with the device’s screen to click buttons, fill forms, and navigate between applications.
“In addition to real-time screen control, the malware shows phishing capabilities through overlay attacks and fake notifications. Unusually, overlay attacks are not triggered when specific target apps are opened but are initiated directly by the malware operator,” Cleafy notes.
BingoMod also allows threat actors to send SMS messages from the infected devices, which could be used to spread the malware further.
To prevent its removal, the malware prevents the user from editing system settings, blocks specific applications, and uninstalls applications. However, to hide its tracks, it allows attackers to wipe the infected devices, typically after a fraudulent transfer was performed.
“One notable aspect of this malware is its device-wiping capability, triggered after a fraudulent transaction. This behavior is reminiscent of the Brata malware, […] however, the simplicity and rudimentary nature of the code suggests that this feature is more of an easy exit strategy rather than an indication of any direct lineage or connection to Brata,” Cleafy notes.
Related: Massive OTP-Stealing Android Malware Campaign Discovered
Related: Thousands Download New Mandrake Android Spyware Version From Google Play
Related: New ‘SharkBot’ Android Banking Malware Hitting U.S., UK and Italy Targets
Related: South Korean Users Targeted with Android Spyware ‘PhoneSpy’
