Carding Forum
Professional
A new malicious program for Android not only tries to empty users ' bank accounts, but also completely erases data on the device, effectively implementing the destructive functionality of Viper. The malware was named BingoMod.
Vector of malware spread — text messages. Attackers are trying to disguise BingoMod as a security software for mobile devices.
Researchers from Cleafy who studied Viper believe that it is still under development. In particular, the authors are trying to add a code obfuscation mechanism and other tricks to avoid detection.
In the SMS newsletter used to distribute BingoMod, it is presented under different names designed to give it a legitimate appearance: APP Protection, Antivirus Cleanup, Chrome Update, InfoWeb, SicurezzaWeb, WebSecurity, WebsInfo, WebInfo, and APKAppScudo.
During installation, the malicious app requests access to special features of the Android operating system-Accessibility Services. If the user grants these rights, the malware will be able to gain control of the device.
Next, BingoMod pulls out credentials, takes screenshots, and reads SMS messages-all this is necessary to steal money from users ' bank accounts.
Specially created communication channels — on a socket and HTTP — allow you to accept commands and send a stream of captured screenshots. Thus, with the help of BingoMod, attackers can conduct a remote operation almost in real time.
According to the Cleafy report, BingoMod can remove security programs from the device, as well as block the operation of certain applications specified by the authors in the code.
To avoid detection, operators have added code alignment and obfuscation. Judging by the results of scanning on VirusTotal, these methods work quite well:
As we have already mentioned, BingoMod can erase all information on the device. To do this, the operator must send him the appropriate command after stealing all the victim's money. This part of the code is responsible for vyping:
Vector of malware spread — text messages. Attackers are trying to disguise BingoMod as a security software for mobile devices.
Researchers from Cleafy who studied Viper believe that it is still under development. In particular, the authors are trying to add a code obfuscation mechanism and other tricks to avoid detection.
In the SMS newsletter used to distribute BingoMod, it is presented under different names designed to give it a legitimate appearance: APP Protection, Antivirus Cleanup, Chrome Update, InfoWeb, SicurezzaWeb, WebSecurity, WebsInfo, WebInfo, and APKAppScudo.
During installation, the malicious app requests access to special features of the Android operating system-Accessibility Services. If the user grants these rights, the malware will be able to gain control of the device.
Next, BingoMod pulls out credentials, takes screenshots, and reads SMS messages-all this is necessary to steal money from users ' bank accounts.
Specially created communication channels — on a socket and HTTP — allow you to accept commands and send a stream of captured screenshots. Thus, with the help of BingoMod, attackers can conduct a remote operation almost in real time.
According to the Cleafy report, BingoMod can remove security programs from the device, as well as block the operation of certain applications specified by the authors in the code.
To avoid detection, operators have added code alignment and obfuscation. Judging by the results of scanning on VirusTotal, these methods work quite well:
As we have already mentioned, BingoMod can erase all information on the device. To do this, the operator must send him the appropriate command after stealing all the victim's money. This part of the code is responsible for vyping:
