New Android Malware BingoMod Drains Bank Accounts and Wipes Devices

Chris Thompson

By Chris Thompson

Published:

A new and dangerous Android malware, known as BingoMod, has been identified by cybersecurity experts, sparking significant concerns among Android users globally. This malware not only targets your bank accounts but also wipes infected devices, leaving victims with severe financial and data losses. As BingoMod continues to evolve, understanding its workings and taking preventive measures is more critical than ever.

What is BingoMod?

BingoMod is a sophisticated Remote Access Trojan (RAT) first detected in May 2024 by Cleafy, an Italian cybersecurity firm. This malware stands out for its ability to perform On-Device Fraud (ODF), a technique that allows cybercriminals to bypass the security measures banks use to verify identities and detect suspicious transactions. Unlike typical malware that focuses on stealing data, BingoMod takes control of the infected device, enabling fraud directly from the user’s smartphone.

Once installed, BingoMod quickly starts its malicious activities. It leverages the device’s Accessibility Services, a feature often exploited by malware to gain extensive control over a smartphone. This access allows BingoMod to quietly steal sensitive information, including login credentials, SMS messages, and current account balances. The malware can also perform overlay attacks, where fake screens are displayed to trick users into entering their information, further compromising security.

How BingoMod Operates

The spread of BingoMod is primarily through phishing messages that mimic legitimate Android security applications. These messages are crafted to appear authentic, using familiar icons and names such as those of popular antivirus apps. When an unsuspecting user installs the fake app, BingoMod immediately requests permissions that grant it almost complete control over the device.

After securing these permissions, BingoMod begins executing its primary objectives: stealing data and enabling fraudulent transactions. It establishes two communication channels—one for receiving commands from the attackers and another for sending screenshots and other data back to them. This setup allows cybercriminals to monitor the device in real-time, interact with apps, enter text, and even control the device remotely as if they were physically using it.

This real-time control is particularly dangerous because it allows the attackers to bypass security features that rely on behavioral detection or multi-factor authentication. By operating from the victim’s actual device, BingoMod makes it exceedingly difficult for banks to distinguish between legitimate and fraudulent activities.

Device Wiping and Evasion Tactics

One of the most concerning aspects of BingoMod is its ability to wipe the infected device after completing its malicious activities. Once a fraudulent transaction has been successfully executed, the malware can initiate a wipe of the device’s external storage. This action effectively removes any trace of the malware, making forensic analysis and investigation nearly impossible.

Additionally, if the malware has been registered as a device administrator app, it can perform a more comprehensive wipe by resetting the device through the system settings, erasing all data and returning the phone to its factory state.

BingoMod also employs advanced techniques to evade detection. It uses code-flattening and string obfuscation, making it difficult for antivirus software to identify its presence. Even widely used malware detection services like VirusTotal have struggled to detect the latest versions of BingoMod, highlighting the sophistication of its design.

Protecting Yourself from BingoMod

Given the advanced capabilities of BingoMod, prevention is the best strategy for protection. Avoid clicking on links in unsolicited text messages, no matter how legitimate they appear. Always verify the source of any app before downloading, particularly those that claim to offer enhanced security features. Android users should ensure that Google Play Protect is enabled on their devices, as it provides a layer of protection by blocking known versions of this malware.

It’s important to note that BingoMod is still in active development, which means it could become even more dangerous over time. As the malware evolves, so too should your vigilance. Regularly update your device, use strong, unique passwords, and be cautious with the permissions you grant to apps.

We’ve added definitions for BingoMod to our Android app, Certo Mobile Security. Run a free scan now to see if you’ve been affected by BingoMod. By staying informed and using trusted security tools, you can significantly reduce the risk of falling victim to BingoMod and other similar threats.

BingoMod represents a significant threat to Android users, combining advanced fraud techniques with destructive capabilities. While its full potential may still be unfolding, the current impact of this malware is already severe, emphasizing the need for heightened awareness and proactive security measures.

Known Compromised Apps

Below is a list of apps that are currently known to contain the BingoMod Remote Access Trojan. If you find any of these on your device, we recommend removing them as soon as possible.

App NamePackage Name
APP Protection
Antivirus Cleanup
Chrome Update
com.djokovic.chromeupdate
InfoWebcom.coffeestainstudios.goatsimulator
SicurezzaWeb
WebSecurity
com.ccandroid.suite
WebsInfocom.bimiboo.coloring
com.halfbrick.joyride
WebInfocom.tocaboca.tocahairsalon4
APKAPPSCUDOcom.danza.perfectarcher
com.kanko.negruzzi
com.vonation.hitenhit
com.pescado.hitenhit
com.primo.eternalache
com.bleuinc.xperinz
com.pelosi.polskaball
com.deco.canta

Source: Cleafy