Carding Forum
Professional
Advanced security circumvention and self-destruction of evidence are ushering in a new era of digital fraud.
Cybersecurity researchers from the Italian company Cleafy recently discovered a new remote access trojan (RAT) for Android called BingoMod, which not only performs fraudulent money transfers from infected devices, but also erases all traces of its activity, completely confusing its victims.
The malware was discovered at the end of May this year and, apparently, is under active development. Cleafy links BingoMod to Romanian-speaking criminals due to the presence of comments in Romanian in the source code. In addition, the first downloads of the malware on VirusTotal were also made from Romania. It is quite possible that hackers personally checked how invisible their malicious creation is to security systems.
Researchers Alessandro Strino and Simone Mattia note that BingoMod belongs to the modern generation of mobile Trojans that can perform Account Takeover (ATO) directly from an infected device, using the On-Device Fraud (ODF) technique. This technique has also been used in other Android banking Trojans, including Medusa, Copybara, and TeaBot.
Similar to the Brata malware, BingoMod features a self-destruct mechanism designed to remove evidence of fraudulent activity on an infected device, which makes it difficult to conduct a forensic examination. Although this feature is limited to the device's external storage, the researchers suspect that remote access capabilities can be used to completely reset the device to factory settings.
Some of the detected apps that distribute BingoMod are disguised as antivirus programs and updates for Google Chrome. Once installed, the app requests permission to access Android accessibility services, using them to perform malicious actions.
The list of actions includes executing the main malicious code and blocking the user from the main screen to collect information about the device, which is then sent to a server controlled by the attacker.
The program also uses the Accessibility Services API to steal confidential information displayed on the screen (such as credentials and bank account balances), as well as to obtain permission to intercept SMS messages.
To initiate money transfers directly from infected devices, BingoMod establishes a connection to the command server to receive up to 40 commands remotely, taking screenshots using the Media Projection API and interacting with the device in real time. This technique allows a live operator to make money transfers of up to €15,000 in a single transaction.
In addition, cybercriminals pay attention to circumventing detection by using code obfuscation methods and the ability to remove arbitrary applications from an infected device.
BingoMod also has phishing capabilities through overlay attacks and fake notifications, which is very unusual, since attacks are not superimposed when opening targeted applications, but are initiated directly by the malware operator.
The emergence of sophisticated malware such as BingoMod underscores the need to strengthen cybersecurity measures on personal devices. To protect against such threats, we recommend:
Keep in mind that vigilance and healthy skepticism are key elements of your digital security.
Source
Cybersecurity researchers from the Italian company Cleafy recently discovered a new remote access trojan (RAT) for Android called BingoMod, which not only performs fraudulent money transfers from infected devices, but also erases all traces of its activity, completely confusing its victims.
The malware was discovered at the end of May this year and, apparently, is under active development. Cleafy links BingoMod to Romanian-speaking criminals due to the presence of comments in Romanian in the source code. In addition, the first downloads of the malware on VirusTotal were also made from Romania. It is quite possible that hackers personally checked how invisible their malicious creation is to security systems.
Researchers Alessandro Strino and Simone Mattia note that BingoMod belongs to the modern generation of mobile Trojans that can perform Account Takeover (ATO) directly from an infected device, using the On-Device Fraud (ODF) technique. This technique has also been used in other Android banking Trojans, including Medusa, Copybara, and TeaBot.
Similar to the Brata malware, BingoMod features a self-destruct mechanism designed to remove evidence of fraudulent activity on an infected device, which makes it difficult to conduct a forensic examination. Although this feature is limited to the device's external storage, the researchers suspect that remote access capabilities can be used to completely reset the device to factory settings.
Some of the detected apps that distribute BingoMod are disguised as antivirus programs and updates for Google Chrome. Once installed, the app requests permission to access Android accessibility services, using them to perform malicious actions.
The list of actions includes executing the main malicious code and blocking the user from the main screen to collect information about the device, which is then sent to a server controlled by the attacker.
The program also uses the Accessibility Services API to steal confidential information displayed on the screen (such as credentials and bank account balances), as well as to obtain permission to intercept SMS messages.
To initiate money transfers directly from infected devices, BingoMod establishes a connection to the command server to receive up to 40 commands remotely, taking screenshots using the Media Projection API and interacting with the device in real time. This technique allows a live operator to make money transfers of up to €15,000 in a single transaction.
In addition, cybercriminals pay attention to circumventing detection by using code obfuscation methods and the ability to remove arbitrary applications from an infected device.
BingoMod also has phishing capabilities through overlay attacks and fake notifications, which is very unusual, since attacks are not superimposed when opening targeted applications, but are initiated directly by the malware operator.
The emergence of sophisticated malware such as BingoMod underscores the need to strengthen cybersecurity measures on personal devices. To protect against such threats, we recommend:
- install apps only from official stores;
- be critical of permission requests, especially for accessibility services;
- keep a close eye on bank transactions and immediately report suspicious activity to your bank's support team.
Keep in mind that vigilance and healthy skepticism are key elements of your digital security.
Source
