New Android Malware Wipes Device After Emptying Bank Accounts

New Android malware, dubbed “BingoMod” by researchers, is capable of wiping a device after successfully stealing money from victims’ bank accounts using an on-device fraud technique.

The malware is promoted via text messages and disguises itself as a legitimate mobile security tool. Up to €15,000 can be stolen in a single transaction.

According to the researchers analyzing it, BingoMod is currently under active development, and its authors are focusing on adding code obfuscation mechanisms and various security bypass mechanisms in order to lower the detection rate.

BingoMod Details

Researchers from Cleafy, a company that deals with online fraud management and prevention solutions, have discovered that BingoMod is distributed via smishing (SMS phishing) campaigns and uses various names that usually indicate a mobile security tool (e.g. App Protection, Antivirus Cleaner, Chrome Updater, InfoWeb, SicurezzaWeb, WebSecurity, WebsInfo, WebInfo, and APKAppScudo).

In one case, the malware used the icon of the free AVG AntiVirus & Security tool, available on Google Play.

During installation, the malware requests permission to use Accessibility Services, which offer advanced features that allow extensive control over the device.

Once activated, BingoMod steals login details, takes screenshots, and intercepts SMS messages.

To perform device fraud (ODF), the malware creates a socket-based channel to receive commands and an HTTP-based channel to send a stream of screenshots, enabling near real-time remote operation.

VNC mechanism and data exchange — **Virtual Network Processing (VNC) Engine and Data Exchange**
*Source: Cleafy*

ODF is a commonly used technique to initiate fraudulent transactions from a victim’s device, bypassing standard anti-fraud systems that rely on identity verification and authentication.

Cleafy researchers explain in today’s report that “the VNC routine abuses Android’s Media Projection API to obtain real-time screen content. Once received, it is transformed into an appropriate format and transmitted over HTTP to the TA (threat actor) infrastructure.”

One feature of this procedure is that it may use Accessibility Services “to impersonate a user and facilitate a screencast request, made available through the Media Projection API.”

VNC routing — **VNC Tracing BingoMod**
*Source: Cleafy*

The commands that remote operators can send to BingoMod include clicking on a specific area, writing text on a specific input element, and launching the application.

The malware also enables manual overlay attacks via fake notifications initiated by the threat actor. Additionally, a BingoMod-infected device can also be used to further spread malware via SMS messages.

Disabling security and deleting data

BingoMod can remove security solutions from the victim’s device or block the activity of applications that the attacker specified in the command.

To avoid detection, the malware authors added layers of code flattening and string obfuscation, which — judging by the scan results on VirusTotal — achieved their intended goal.

**VirusTotal Scan Results**
*Source: Cleafy*

If the malware is registered on the device as a device administrator app, the operator can send a remote command to wipe the system. According to researchers, this function is performed only after a successful upload and affects only external storage.

Data cleaning routing — **Routine data cleaning**
*Source: Cleafy*

To completely wipe the phone, an attacker can use remote access capabilities to delete all data and reset the phone’s system settings.

While BingoMod is currently at version 1.5.1, Cleafy says it is in the early stages of development.

Based on comments in the code, researchers believe that BingoMod may be the work of a Romanian developer. However, it is possible that developers from other countries are also involved.