Pierluigi Paganini
August 01, 2024
Researchers at Cleafy discovered a new Android malware, called ‘BingoMod,’ that can wipe devices after successfully stealing money from the victims’ bank accounts.
The Cleafy TIR team discovered the previously undetected malware at the end of May 2024. BingoMod was designed to initiate money transfers from the compromised devices via Account Takeover (ATO) using a well-known technique, called On Device Fraud (ODF). The malware can bypass bank users’ identity verification and authentication processes, it also avoids behavioural detection techniques applied by banks to identify suspicious money transfers.
The malicious code can also conduct overlay attacks and relies on VNC-like functionality to remotely access the compromised device. The researchers noticed that the malware typically wipe infected devices after a successful fraudulent transfer, in an attempt to hinder forensic investigations.
Cleafy observed the BingoMod targeting devices using English, Romanian, and Italian languages, however comments in the malware code suggest the authors may be Romanian.
The malware is in a development phase, the researchers reported that the authors are testing obfuscation techniques to avoid detection.
“BingoMod belongs to the modern RAT generation of mobile malware, as its remote access capabilities allow Threat Actors (TAs) to conduct Account Takeover (ATO) directly from the infected device, thus exploiting the On Device Fraud (ODF) technique. This consolidation of this technique has already been seen recently by other banking trojans, such as Medusa, Copybara, and Teabot.” reads the report published by Cleafy. “These techniques have several advantages: they require less skilled developers, expand the malware’s target base to any bank, and bypass various behavioural detection countermeasures put in place by multiple banks and financial services.”
All the samples analyzed by the researchers are disguised as legitimate mobile security apps that are distributed via smashing.
After installation, BingoMod prompts users to activate Accessibility Services under the guise of necessary app functionality. Then the app unpacks and executes its malicious payload, before locking the user out of the main screen to gather device information and establish a C2 communication channel.
Once activated, BingoMod malware uses keylogging and SMS interception to steal sensitive information like login credentials and transaction authentication numbers. The malware supports around 40 remote control functions, including real-time screen monitoring through regular screenshots and full device control via Accessibility Services, allowing attackers to operate the device as if they were physically present.
The malware performs on-device fraud (ODF) by establishing a socket-based channel to receive commands and an HTTP-based channel to send a feed of screenshots.
“On the malware side, the VNC routine abuses Android’s Media Projection API to obtain real-time screen content. Once received, this is transformed into a suitable format and transmitted via HTTP to the TAs’ infrastructure.” continues the report. “An exciting feature of the routine is leveraging Accessibility Services to impersonate the user and enable the screen-casting request, exposed by the Media Projection API.”
BingoMod can also disable security solutions or block specific apps. The malware uses code-flattening and string obfuscation techniques to avoid detection.
“BingoMod shows relatively straightforward functionalities commonly found in most contemporary RAT, such as HiddenVNC for remote control and SMS suppression to intercept and manipulate communication and logging user interactions to steal sensitive data. The emphasis on obfuscation and unpacking techniques suggests that the developers may lack the sophistication or experience of more advanced malware authors.” concludes the report. “One notable aspect of this malware is its device-wiping capability, triggered after a fraudulent transaction. This behaviour is reminiscent of the Brata malware, which also employed device-wiping to cover its tracks and hinder forensic analysis.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
