Researchers at cybersecurity company Cleafy are warning people about new Android malware that can steal money from their bank accounts. It’s called BingoMod and is a type of remote access trojan, or RAT for short. Cleafy discovered it back in May 2024 and recently published a report on its website explaining how the malware operates. As you read the post, you’ll quickly realize just how threatening it is.
According to Cleafy, the bad actors behind BingoMod engage in “smishing” campaigns. Smishing is a portmanteau of “SMS” and “phishing” and is normally a “social engineering attack” that utilizes fake text messages to trick people into downloading malware. In this instance, BingoMod takes the form of a “legitimate antivirus” app.
It’s gone under several names: Chrome Update, InfoWeb, Sicurezza Web, WebInfo, and more. Plus, as BleepingComputer points out, the malware has even taken the logo for the legitimate AVG Antivirus & Security tool as its own.
Upon installation, BingoMod instructs users to “activate Accessibility Services” to enable the security software. However, in reality, it gives the malware permission to infect a device.
Remote fraud
BingoMod then functions discreetly in the background, stealing login credentials, taking screenshots, and intercepting texts. Since the malware is so deeply integrated within a smartphone’s system, bad actors can control it remotely “to perform on-device fraud” or ODF. It is here where the malware begins to send fraudulent transactions from the infected device to an outside location.
A phone’s security system can’t stop this process because BingoMod not only impersonates users but also disables said system. Cleafy states the malware is able to “uninstall arbitrary applications,” preventing security apps from detecting its presence. Once all these obstacles are gone, the threat actors can, at any time, wipe out all the data on the phone in one fell swoop.
If that’s not enough, an infected device could be used as a jump-off point to spread the malicious software further via text messages.
How to prevent being infected
It is a scary situation, but what’s scarier is whoever is behind BingoMod is still actively working on it. Cleafy says the developers are looking for ways to “lower its detection rate against AV solutions.”
We only scratched the surface, so we highly recommend reading the report, which goes into deeper detail. The writers included pictures of the software’s code and some of its commands. Additonally, they found evidence indicating the person behind it all may be based in Romania, although they have help from developers across the world.
To protect yourself, the best thing you can do is not click any links from unrecognized or unverified sources. Be sure to download apps from reputable platforms such as the Google Play Store. Google told BleepingComputer that Play Protect is capable of detecting and blocking BingoMod, which is great, but we still strongly suggest exercising your due diligence.
For more robust protection, check out TechRadar’s list of the best password managers for 2024.