A new Android malware named BingoMod has been identified, which poses a significant threat by not only stealing money but also erasing all data from infected devices. This malware can steal up to 15,000 EUR per transaction and is currently active.
It was discovered by the Cleafy TIR team in late May 2024. The malware’s authors are reportedly focusing on developing more obfuscation techniques, indicating that they might be relatively inexperienced compared to more seasoned malware creators.
BingoMod is distributed through SMS phishing schemes where it masquerades as legitimate mobile security tools. It disguises itself with names such as WebsIndfo, InfoWeb, WebSecurity, App Protection, or Antivirus Cleanup to trick users into installing it.
Once installed, the malware requests access to “Accessibility Services,” which grants it extensive control over the device, including the ability to execute remote commands.
The malware’s functionalities include over 40 remote commands, such as screen monitoring, keylogging, and screenshot capture. After installation, BingoMod employs techniques like Account Takeover (ATO) and Device Fraud (ODF) to intercept messages, steal login credentials, and bypass bank authentication processes.
It is also designed to evade behavioral detection methods used by banks, making it difficult for traditional fraud detection systems to catch suspicious activities.
In addition to stealing financial information, BingoMod has a destructive component—it wipes all data from the infected device after completing its theft. This deletion of data is intended to prevent forensic analysis and hinder security experts from detecting and understanding the malware’s operations.
The malware also has the capability to block certain apps, including security apps, rendering them ineffective against the infection.
The malware’s authors are believed to be Romanian, based on their use of English, Romanian, and Italian in their phishing attempts. However, beyond this linguistic clue, little else is known about them.
The Cleafy TIR report notes that BingoMod exhibits common features of Remote Access Trojans (RATs), including remote control capabilities and SMS suppression, highlighting its effectiveness and the challenges in combating it.
