Trojan

Trojan BingoMod Steals Money and Wipes Devices

Posted on

News, Antara News – Security researchers have found the existence of a brand new Android remote-access trojan (RAT) known as BingoMod which is not just able to perform illegal money transfers on affected devices, but also erases the devices in a bid to wipe out the trace of the trojan.

Italian cybersecurity company Cleafy that found Cleafy, an Italian cybersecurity firm that discovered the RAT at the close of May 2024, stated that the virus is in active research and development. Cleafy has attributed the Android trojan as a possible Romanian-speaking threat actor due to it having Romanian remarks on Romanian in the source code of the earlier versions.

New Android Banking Trojan BingoMod Steals Money

“BingoMod belongs to the modern RAT generation of mobile malware, as its remote access capabilities allow threat actors (TAs) to conduct Account Takeover (ATO) directly from the infected device, thus exploiting the on-device fraud (ODF) technique,” researchers Alessandro Strino and Simone Mattia stated..

It’s worthwhile to mention that this method was observed in other Android trojans that are banking like Medusa (aka TangleBot), Copybara as well as TeaBot (aka Anatsa).

BingoMod Like BRATA as well, has a self-destruction system that’s intended to erase any trace of a fraudulent transfer from the affected device in order to block forensic analyses. The functionality of this is only available to external storage on the device It’s possible that remote access capabilities can be utilized to trigger the complete reset of the device’s factory settings.

Certain of these apps appear to be antivirus software and an update to Google Chrome. When installed, using smishing strategies The app will prompt users to give it access service permissions. It then uses it to launch malicious activities.

It includes running the primary payload as well as locking users from the main display for the purpose of collecting device data and then transferring it to an unidentified server controlled by attackers. Additionally, it exploits the accessibility API of services to access sensitive data displayed on the display (e.g. passwords, usernames as well as bank account balances) as well as grant it permission to access SMS messages.

For direct money transfer via compromised devices, BingoMod connects via sockets using the command-and-control infrastructure (C2) to accept more than 40 commands remotely, allowing you to take photographs by using the Android media Projection API and to interact directly with the device in real time.

Also, ODF ODF strategy relies upon an operator who is live to make the transfer of funds as much as EUR15,000 (~$16,100) in one transaction, as rather than utilizing the power of an Automated Transfer System ( an ATS) for the purpose of executing the financial fraud on a large scale.

Another important factor is the focus of threat actors in evading detection by using strategies for code obfuscation as well as the ability to delete any app from the affected device. This indicates that threat actors are more focused on simple features over the most advanced capabilities.

“In addition to real-time screen control, the malware shows phishing capabilities through Overlay Attacks and fake notifications,” the researchers claimed. “Unusually, overlay attacks are not triggered when specific target apps are opened but are initiated directly by the malware operator.”

Leave a Reply

Your email address will not be published. Required fields are marked *