Thought Leadership
Android users should beware of the new BingoMod malware. This disguises itself as a security app and can steal money, delete data and completely take over the infected device.
Security researchers from Cleafy have discovered a new, particularly devious remote access Trojan (RAT) that targets devices with Android operating systems. Its name: BingoMod. It carries out so-called overlay attacks and enables remote access to the infected devices via a type of virtual network computing (VNC). Once on the Android device, the RAT attempts to obtain money. To do this, it spies on sensitive data in order to take over accounts.
The Trojan was discovered back in May 2024. It can bypass authentication, verification and behavior detection protection measures by carrying out on-device fraud (ODF), as is the case with other banking Trojans such as Medusa, Copybara and Teabot. What makes BingoMod particularly sneaky is that it hides behind legitimate applications and often poses as a security app, such as “APP Protection”, “AVG AntiVirus & Security” or “WebSecurity”, to trick unsuspecting users into downloading and installing it.
According to Cleafy’s security researchers, BingoMod requires access to accessibility services after installation in order to become active and execute the malicious payload. It thus provides its operators with sensitive data through key logging, in which access services are exploited to steal login data or account balances. The TAN numbers sent by SMS are also intercepted and forwarded to those behind the attack. It also establishes a socket-based connection for the ODF.
BingoMod currently offers around 40 remote control functions, including real-time screen control through VNC-like routines and screen interaction. It uses Android’s Media Projection API to take screenshots of the screen to get a comprehensive overview. The hackers can send arbitrary commands to the affected devices, allowing them to attack banking apps and steal up to €15,000 per transaction. BingoMod also allows its operators to send SMS messages, which could potentially spread the malware further.
The malware cannot be easily removed once it has gained a foothold on a device, as users are prevented from editing system settings, blocking certain applications and uninstalling apps. To cover its tracks, BingoMod uses code obfuscation techniques that make it difficult for security software to detect. Some variants of the malware can wipe the device’s data by performing a factory reset to remove evidence of the theft – a tactic reminiscent of, but not directly related to, the Brata malware.
BingoMod is currently targeting devices in English, Romanian and Italian. The security researchers assume that the malware is still in the development phase and that the operators are experimenting with obfuscation techniques to reduce the detection rates of antivirus solutions.
This does not bode well for the future. Android users should therefore be particularly careful, only install apps from the official Google Play Store and avoid apps from other websites. You should also be careful with the required permissions and carefully consider whether an app actually needs the required rights to operate. It is also advisable to install reliable security software and carry out regular updates.
(vp/8com GmbH & Co. KG)
