Researchers at Cleafy discovered a new Android malware, called ‘BingoMod,’ that can wipe devices after successfully stealing money from the victims’\u00a0bank accounts.<\/p>\n\n\n\n
The Cleafy TIR team discovered the previously undetected malware at the end of May 2024. BingoMod\u00a0was designed to initiate money transfers from the compromised devices via\u00a0Account Takeover\u00a0(ATO) using a well-known technique, called\u00a0On Device Fraud\u00a0(ODF). The malware can bypass bank users\u2019 identity verification and authentication processes, it also avoids behavioural detection techniques applied by banks to identify suspicious money transfers.<\/p>\n\n\n\n
The malicious code can also conduct overlay attacks and relies on VNC-like functionality to remotely access the compromised device. The researchers noticed that the malware typically wipe infected devices after a successful fraudulent transfer, in an attempt to hinder forensic investigations.<\/p>\n\n\n\n
Cleafy observed the BingoMod targeting devices using English, Romanian, and\u00a0Italian languages, however comments in the malware code suggest the authors may be\u00a0Romanian.<\/p>\n\n\n\n
The malware is in a development phase, the researchers reported that the authors are testing obfuscation techniques to\u00a0avoid detection. <\/p>\n\n\n\n
“BingoMod<\/strong>\u00a0belongs to the modern RAT generation of mobile malware, as its remote access capabilities allow Threat Actors (TAs) to conduct\u00a0Account Takeover\u00a0<\/strong>(ATO) directly from the infected device, thus exploiting the\u00a0On Device Fraud\u00a0<\/strong>(ODF) technique. This consolidation of this technique has already been seen recently by other banking trojans, such as\u00a0Medusa<\/a>,\u00a0Copybara<\/a>, and\u00a0Teabot<\/a>.” reads the report<\/strong><\/a> published by Cleafy. “These techniques have several advantages: they require less skilled developers, expand the malware’s target base to any bank, and bypass various behavioural detection countermeasures put in place by multiple banks and financial services.”<\/em>
All the samples analyzed by the researchers are\u00a0disguised\u00a0as legitimate\u00a0mobile security\u00a0apps that are distributed via smashing<\/a>.<\/p>\n\n\n\n