New Android Trojan BingoMod Drains Funds and Erases Devices

Cybersecurity experts have identified a newly emerging Android remote access trojan (RAT) named BingoMod. This malicious software is capable of not only stealing money from infected devices but also wiping them clean to cover its tracks.

The researcher noted that the malware is still being actively developed. Evidence suggests that the trojan may be the work of a Romanian-speaking threat actor, as early versions of the code include Romanian language comments.

“BingoMod represents the latest evolution in mobile malware, offering remote access that enables attackers to take over accounts directly from infected devices. This technique, known as on-device fraud (ODF), has been seen in other Android banking trojans like Medusa, Copybara, and TeaBot,” explained researchers.

Like the BRATA malware, BingoMod also features a self-destruct mechanism designed to erase traces of its fraudulent activities on the infected device, complicating forensic investigations. Currently, this feature affects only the device’s external storage, but it is suspected that the malware’s remote access capabilities could also trigger a full factory reset.

Some of the malicious apps linked to BingoMod disguise themselves as antivirus software or updates for Google Chrome. Once installed through phishing tactics, these apps prompt users to grant them accessibility service permissions, which are then exploited to perform harmful actions.

This includes executing the main malware payload, locking users out of their devices, collecting device data, and sending this information to a server controlled by the attacker. Additionally, the malware leverages the accessibility services API to steal sensitive on-screen information, such as login credentials and bank balances, and intercept SMS messages.

BingoMod establishes a socket-based connection with its command-and-control (C2) server to execute up to 40 different commands remotely, enabling it to take screenshots using Android’s Media Projection API and interact with the device in real-time. This allows a live operator to manually conduct money transfers of up to €15,000 (~$16,100) per transaction, rather than using an Automated Transfer System (ATS) for widespread financial fraud.

The malware’s authors have also focused on evading detection by using code obfuscation and including features that allow the trojan to uninstall other apps from the infected device. This indicates that the developers are prioritizing a streamlined approach over adding complex features.

“In addition to its real-time screen control, BingoMod can perform phishing attacks through overlay attacks and fake notifications,” the researchers added. “Interestingly, these overlay attacks are not triggered by specific target apps but are instead initiated directly by the malware operator.”

To protect yourself from BingoMod and similar Android trojans, always download apps from trusted sources like the Google Play Store and avoid clicking on suspicious links, especially those received via SMS or email. Regularly update your device’s software to patch vulnerabilities, and enable two-factor authentication (2FA) for added security on your accounts.

Additionally, be cautious of granting accessibility permissions to apps, as this is a common method used by malware to take control of your device.