• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

 | 

Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

 | 

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Malware
  • Mobile
  • BingoMod Android RAT steals money from victims’ bank accounts and wipes data

BingoMod Android RAT steals money from victims’ bank accounts and wipes data

Pierluigi Paganini August 01, 2024

BingoMod is a new Android malware that can wipe devices after stealing money from the victims’ bank accounts.

Researchers at Cleafy discovered a new Android malware, called ‘BingoMod,’ that can wipe devices after successfully stealing money from the victims’ bank accounts.

The Cleafy TIR team discovered the previously undetected malware at the end of May 2024. BingoMod was designed to initiate money transfers from the compromised devices via Account Takeover (ATO) using a well-known technique, called On Device Fraud (ODF). The malware can bypass bank users’ identity verification and authentication processes, it also avoids behavioural detection techniques applied by banks to identify suspicious money transfers.

Once installed on the victim’s device, BingoMod leverages various permissions, including Accessibility Services, to quietly steal sensitive information, including credentials, SMS messages, and current account balances.

The malicious code can also conduct overlay attacks and relies on VNC-like functionality to remotely access the compromised device. The researchers noticed that the malware typically wipe infected devices after a successful fraudulent transfer, in an attempt to hinder forensic investigations.

Cleafy observed the BingoMod targeting devices using English, Romanian, and Italian languages, however comments in the malware code suggest the authors may be Romanian.

The malware is in a development phase, the researchers reported that the authors are testing obfuscation techniques to avoid detection.

“BingoMod belongs to the modern RAT generation of mobile malware, as its remote access capabilities allow Threat Actors (TAs) to conduct Account Takeover (ATO) directly from the infected device, thus exploiting the On Device Fraud (ODF) technique. This consolidation of this technique has already been seen recently by other banking trojans, such as Medusa, Copybara, and Teabot.” reads the report published by Cleafy. “These techniques have several advantages: they require less skilled developers, expand the malware’s target base to any bank, and bypass various behavioural detection countermeasures put in place by multiple banks and financial services.”

All the samples analyzed by the researchers are disguised as legitimate mobile security apps that are distributed via smashing.

After installation, BingoMod prompts users to activate Accessibility Services under the guise of necessary app functionality. Then the app unpacks and executes its malicious payload, before locking the user out of the main screen to gather device information and establish a C2 communication channel.

Once activated, BingoMod malware uses keylogging and SMS interception to steal sensitive information like login credentials and transaction authentication numbers. The malware supports around 40 remote control functions, including real-time screen monitoring through regular screenshots and full device control via Accessibility Services, allowing attackers to operate the device as if they were physically present.

The malware performs on-device fraud (ODF) by establishing a socket-based channel to receive commands and an HTTP-based channel to send a feed of screenshots.

BingoMod

“On the malware side, the VNC routine abuses Android’s Media Projection API to obtain real-time screen content. Once received, this is transformed into a suitable format and transmitted via HTTP to the TAs’ infrastructure.” continues the report. “An exciting feature of the routine is leveraging Accessibility Services to impersonate the user and enable the screen-casting request, exposed by the Media Projection API.”

BingoMod can also disable security solutions or block specific apps. The malware uses code-flattening and string obfuscation techniques to avoid detection.

“BingoMod shows relatively straightforward functionalities commonly found in most contemporary RAT, such as HiddenVNC for remote control and SMS suppression to intercept and manipulate communication and logging user interactions to steal sensitive data. The emphasis on obfuscation and unpacking techniques suggests that the developers may lack the sophistication or experience of more advanced malware authors.” concludes the report. “One notable aspect of this malware is its device-wiping capability, triggered after a fraudulent transaction. This behaviour is reminiscent of the Brata malware, which also employed device-wiping to cover its tracks and hinder forensic analysis.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, malware)


facebook linkedin twitter

Android BingoMod Cybercrime Hacking hacking news information security news IT Information Security malware Pierluigi Paganini Security Affairs

you might also like

Pierluigi Paganini July 27, 2025
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55
Read more
Pierluigi Paganini July 27, 2025
Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

    Malware / July 27, 2025

    Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

    Breaking News / July 27, 2025

    Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

    Cyber Crime / July 26, 2025

    Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

    Intelligence / July 26, 2025

    Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

    Intelligence / July 25, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT