A new Android Remote Access Tool (RAT) has been discovered by security researchers, who have named it ‘BingoMod.’ The BingoMod RAT is often disguised in the form of popular security tools, and the associated malware family has been identified as a significant threat to Android users.
BingoMod utilizes On-Device Fraud (ODF) to initiate unauthorized money transfers from compromised devices, bypassing traditional banking security measures.
BingoMod Exploits Android Accessibility Services
BingoMod operates by gaining access to sensitive information such as credentials, SMS messages, and account balances. The Cleafy Threat Intelligence (TIR) team that initially identified the RAT tool in May said it achieves this by exploiting Accessibility Services and employing keylogging and SMS interception techniques on infected Android devices.
The malware’s core function is facilitating ODF, allowing threat actors to take control of the infected device and execute fraudulent transactions in real-time. Once installed, BingoMod prompts the user to activate Accessibility Services, disguising the request as necessary for the app to function correctly. If the user grants the requested permissions, the malware begins to unpack itself, executing its malicious payload.
BingoMod enables attackers to view and interact with the device remotely, utilizes overlay attacks and fake notifications for phishing purposes and can even allow attackers to send SMS messages from compromised devices, which could be used to distribute the the malware even further.
To maintain persistence and hinder analysis on infected devices, BingoMod incorporates several counter-measures. It restricts access to system settings, blocks specific applications, and could even uninstall security apps. As a nuclear option, the malware can also allow the attackers to remotely wipe the device’s storage, effectively erasing evidence of their activity.
BingoMod establishes a socket-based connection with the command and control infrastructure (C2) to receive commands from the actors. This allows the malware to provide around 40 remote control functions, including real-time screen control, screen interaction, and overlay attacks. The malware uses two separate communication channels: a socket-based channel for command transmission and an HTTP-based channel for image transfer.
Evolution and Obfuscation of BingoMod
Since its discovery, BingoMod has undergone a notable evolution, focusing primarily on obfuscation techniques to evade detection by antivirus solutions. While the core functionality remains largely unchanged, developers have implemented code-flattening and string obfuscation, significantly lowering its detection rate.
This suggests a focus on opportunistic attacks rather than developing more complex features. An interesting addition is an asynchronous callback mechanism in the PingUtil class, which sends “alive” signals to the command and control server, providing information about the bot’s status.
The developers of BingoMod are in an experimental phase, focusing on app obfuscation and packing processes to reduce detection against AV solutions. The researchers find evidence of this experimental nature in the changes observed between early and newer versions of the malware. While the overall structure and functionality remain the same, the obfuscation employed lowers the overall detection rate.
BingoMod’s self-destruction mechanism, which wipes the device remotely after a successful fraudulent transfer, is a relatively rare option in the Android device malware landscape, and the developers of BingoMod may be aware of similar methods used by other malware families, such as Brata. As the malware continues to evolve, it is essential for security researchers to monitor its development and adapt strategies to combat its threats.
