Recent media reports have cited cybersecurity researchers discovering a new Android remote access trojan (RAT) that’s currently referred to as BingoMod. The BingoMod Android RAT is capable of transferring funds from compromised devices and erasing its traces of existence. In this article, we’ll dig into the details of the Android RAT and uncover how an attack plays out. Let’s begin!

BingoMod Android RAT Initial Discovery

The BingoMod RAT, one of the most severe cybersecurity threats today, was initially discovered in May 2024 by Cleafy, an Italian cybersecurity firm. The cybersecurity firm has stated that the threat actor behind the BingoMod RAT is likely associated with Romania.

The assumption comes as a result of the language being used as comments in earlier version source codes. Providing additional details pertaining to the BingoMod Android RAT, researchers Alessandro Strino and Simone Mattia stated:

“BingoMod belongs to the modern RAT generation of mobile malware, as its remote access capabilities allow threat actors (TAs) to conduct Account Takeover (ATO) directly from the infected device, thus exploiting the on-device fraud (ODF) technique.” 

Android Banking Trojans: Techniques And Capabilities

Reports claim that these techniques of gaining access and conducting fraudulent transactions have been prevalent in other Android banking trojans. Some of the trojans that function based on similar methods include Medusa (aka TangleBot), Copybara, and TeaBot (aka Anatsa).

Apart from these techniques, what makes the BingoMod RAT a severe threat is its ability to evade detection. The RAT is equipped with a self-destruction mechanism, allowing it to remove any traces pertaining to its existence on a compromised device.

It’s worth mentioning here that this functionality is limited to the device’s external storage. However, given that the BingoMod RAT has a remote access feature it could possibly trigger a complete factory reset on the compromised device.

BingoMod Android RAT Attack Chain

The Android RAT enters into a target device in the form of an app. Threat actors resort to smishing tactics to get the users to download and install the malicious app. Once installed, the app seeks permission pertaining to accessibility services, given that they are needed to execute a sequence of actions that include:

1. Executing the main payload.
2. Locking out the user from the main screen.
3. Collecting device information.
4. Sending the data to a server controlled by the threat actor.

Since the Android RAT has acquired accessibility services permission, it can collect sensitive data such as credentials and other banking details and also has the ability to intercept SMS messages.

The BingoMod RAT also develops a socket-based connection with the command-and-control infrastructure (C2). Doing so allows it to receive up to 40 commands related to real-time device interactions. These commands are what initiate the money transfers on a victim’s device.

Conclusion

The BingoMod RAT represents a significant cybersecurity threat due to its advanced capabilities, including remote access, data exfiltration, and self-destruction features. Given how severe the Android RAT is, organizations and individuals should adopt proactive security measures that are essential to mitigate the risks posed by this sophisticated malware to remain protected.

The sources for this piece include articles in The Hacker News and Security Affairs.

The post Hackers Use BingoMod Android RAT For Fraudulent Transactions appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/hackers-use-bingomod-android-rat-for-fraudulent-transactions/