Recent media reports have covered cybersecurity researchers discovering a new Android Remote Access Trojan (RAT), currently dubbed BingoMod. The BingoMod Android RAT can transfer money from compromised devices and cover its tracks. In this article, we will look at the details of the Android RAT and uncover how an attack occurs. Let’s get started!
First discovery of BingoMod Android RAT
The BingoMod RAT, one of the most serious cybersecurity threats currently, was originally discovered in May 2024 by Cleafy, an Italian cybersecurity company. The cybersecurity firm stated that the threat actor behind the BingoMod RAT is likely linked to Romania.
This assumption is based on the use of the language as a comment in source codes of previous versions. Researchers Alessandro Strino and Simone Mattia provided further details about the BingoMod Android RAT:
“BingoMod belongs to the modern RAT generation of mobile malware, as its remote access capabilities allow threat actors (TAs) to perform an account takeover (ATO) directly from the infected device, thus exploiting the on-device fraud (ODF) technique.”
Android banking Trojan: techniques and capabilities
According to reports, these techniques to gain access and perform fraudulent transactions are also widely used by other Android banking Trojans. Some of the Trojans that rely on similar methods are Medusa (also known as TangleBot), Copybara and TeaBot (also known as Anatsa).
In addition to these techniques, what makes the BingoMod RAT a serious threat is its ability to evade detection. The RAT is equipped with a self-destruct mechanism that allows it to remove all traces of its existence on an infected device.
It is worth mentioning here that this functionality is limited to the device’s external storage. However, since BingoMod RAT has a remote access capability, it could potentially trigger a full factory reset on the compromised device.
BingoMod Android RAT Attack Chain
The Android RAT enters the target device in the form of an app. Threat actors resort to smishing tactics to trick users into downloading and installing the malicious app. Once installed, the app asks for permission for accessibility services as it is required to perform a number of actions, including:
- Executing the main payload.
- Lock the user from the main screen.
- Device information is collected.
- Sending the data to a server controlled by the threat actor.
Since the Android RAT has acquired Accessibility Services permission, it can collect sensitive data such as login credentials and other banking information, and is also capable of intercepting SMS messages.
The BingoMod RAT also develops a socket-based connection to the command-and-control infrastructure (C2).This allows it to receive up to 40 commands related to real-time device interactions. These commands trigger the money transfers on a victim’s device.
Diploma
The BingoMod RAT poses a significant cybersecurity threat due to its advanced capabilities, including remote access, data exfiltration, and self-destruct functionality.p. Given the severity of the Android RAT, businesses and individuals should take proactive security measures to mitigate the risks posed by this sophisticated malware and stay protected.
Sources for this article include articles in The Hacker News and Security Affairs.
The post “Hackers use BingoMod Android RAT for fraudulent transactions” appeared first on TuxCare.
*** This is a syndicated blog from TuxCare’s Security Bloggers Network, written by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/hackers-use-bingomod-android-rat-for-fraudulent-transactions/
