Cybersecurity researchers have discovered a new type of Android malware called BingoMod that can perform fraudulent money transfers and wipe compromised devices to erase its tracks. The malware, developed by an likely Romanian-speaking threat actor, allows hackers to remotely control infected devices and steal sensitive information.
The malware, which is part of the modern RAT generation, uses remote access capabilities to conduct Account Takeover (ATO) directly from the device. This technique has been seen in other Android banking trojans like Medusa and Copybara.
BingoMod also stands out for its self-erasing mechanism that removes evidence of fraudulent transfers on the infected device. While this only affects external storage, it’s suspected that the remote access features could be used to initiate a complete factory reset.
The malware disguises itself as antivirus software or an update for Google Chrome and prompts users to grant accessibility services permissions, which allows it to execute malicious actions like collecting device information and stealing sensitive data.
To initiate money transfers, BingoMod establishes a socket-based connection with the command-and-control infrastructure (C2) to receive up to 40 remote commands. This means that the ODF technique relies on a live operator to perform transactions of up to €15,000 per transaction.
The malware authors have prioritized simplicity over advanced features and use code obfuscation techniques to evade detection. Additionally, BingoMod can uninstall arbitrary apps from compromised devices and initiate phishing attacks through overlay attacks and fake notifications.
Source: https://thehackernews.com/2024/08/new-android-banking-trojan-bingomod.html?m=1