Researchers at cybersecurity firm Cleafy are warning people about a new Android malware that can steal money from bank accounts. It’s called BingoMod and is a type of remote access trojan, or RAT. Cleafy discovered it in May 2024 and recently published a report on its website explaining how the malware works. As you read the post, you’ll quickly realize how threatening it is.
According to Cleafy, the malicious actors behind BingoMod engage in “smishing” campaigns. Smishing is a portmanteau of “SMS” and “phishing” and is typically a “social engineering attack” that uses fake text messages to trick people into downloading malware. In this case, BingoMod takes the form of a “legitimate antivirus” app.
It goes by several names: Chrome Update, InfoWeb, Sicurezza Web, WebInfo, and more. And, as BleepingComputer points out, the malware has even taken the logo of the legitimate AVG Antivirus & Security tool as its own.
Upon installation, BingoMod prompts users to “turn on accessibility services” to enable security software. However, in reality, it grants the malware permission to infect a device.
Remote Fraud
BingoMod works discreetly in the background, stealing login credentials, taking screenshots, and intercepting text messages. Since the malware is so deeply embedded in a smartphone’s system, malicious actors can remotely control it to “perform on-device fraud,” or ODF. It’s here that the malware begins sending fraudulent transactions from the infected device to an off-site location.
A phone’s security system cannot stop this process because BingoMod not only impersonates the user, but also disables the security system. Cleafy claims that the malware is capable of “uninstalling arbitrary apps,” preventing security apps from detecting its presence. Once all these obstacles are gone, the threat actors can, at any time, wipe all data on the phone in one fell swoop.
If that's not enough, an infected device could be used as a launching point to spread malware via text messages.
How to prevent contagion
It's an alarming situation, but what's more alarming is that whoever is behind BingoMod is still actively working on it. Cleafy says the developers are looking for ways to “reduce its detection rate against antivirus solutions.”
We've only scratched the surface, so we recommend reading the report, which goes into more detail. The authors included screenshots of the software's code and some of its commands. They also found evidence that the person behind all this may be based in Romania, although he is assisted by developers around the world.
To protect yourself, the best thing you can do is not click on any links from unrecognized or unverified sources. Make sure you download apps from trusted platforms like the Google Play Store. Google told BleepingComputer that Play Protect is able to detect and block BingoMod, which is great, but we still strongly recommend you exercise due diligence.
For more robust protection, check out TechRadar's list of the best password managers for 2024.