Cybersecurity researchers have uncovered a new Android remote access trojan (RAT) called BingoMod that not only performs fraudulent money transfers from the compromised devices but also wipes them in an attempt to erase traces of the malware.
Italian cybersecurity firm Cleafy, which discovered the RAT towards the end of May 2024, said the malware is under active development. It attributed the Android trojan to a likely Romanian-speaking threat actor owing to the presence of Romanian language comments in the source code associated with early versions.
"BingoMod belongs to the modern RAT generation of mobile malware, as its remote access capabilities allow threat actors (TAs) to conduct Account Takeover (ATO) directly from the infected device, thus exploiting the on-device fraud (ODF) technique," researchers Alessandro Strino and Simone Mattia said.
It's worth mentioning here that this technique has been observed in other Android banking trojans, such as Medusa (aka TangleBot), Copybara, and TeaBot (aka Anatsa).
BingoMod, like BRATA, also stands out for employing a self-destruction mechanism that's designed to remove any evidence of the fraudulent transfer on the infected device so as to hinder forensic analysis. While this functionality is limited to the device's external storage, it's suspected that the remote access features could be used to initiate a complete factory reset.
Some of the identified apps masquerade as antivirus tools and an update for Google Chrome. Once installed via smishing tactics, the app prompts the user to grant it accessibility services permissions, using it to initiate malicious actions.
This includes executing the main payload and locking out the user from the main screen to collect device information, which is then exfiltrated to an attacker-controlled server. It also abuses the accessibility services API to steal sensitive information displayed on the screen (e.g., credentials and bank account balances) and give itself permission to intercept SMS messages.
To initiate money transfers directly from compromised devices, BingoMod establishes a socket-based connection with the command-and-control infrastructure (C2) to receive as many as 40 commands remotely to take screenshots using Android's Media Projection API and interact with the device in real-time.
This also means that the ODF technique relies on a live operator to perform a money transfer of up to €15,000 (~$16,100) per transaction as opposed to leveraging an Automated Transfer System (ATS) to carry out financial fraud at scale.
Another crucial aspect is the threat actor's emphasis on evading detection using code obfuscation techniques and the ability to uninstall arbitrary apps from the compromised device, indicating that the malware authors are prioritizing simplicity over advanced features.
"In addition to real-time screen control, the malware shows phishing capabilities through Overlay Attacks and fake notifications," the researchers said. "Unusually, overlay attacks are not triggered when specific target apps are opened but are initiated directly by the malware operator."