Horrified, a New Virus Appears That Drains Your Account and Deletes Your Cellphone Data
Morrissey Technology – A malware or malicious software on Android called BingoMod was found to be able to drain accounts and delete cellphone data. This malware was found to be promoted via text messages, and masquerades as a legitimate mobile security tool. This malware can steal up to 15,000 Euros or IDR 262 million per transaction. According to the researchers who analyzed it, BingoMod is currently under active development. They say malware authors are focusing on adding code obfuscation and various evasion mechanisms to reduce detection rates.
Researchers at Cleafy, an online fraud management and prevention solution, reported BleepingComputer, found BingoMod distributed in smishing (SMS phishing) campaigns. They use various names that usually indicate mobile security tools such as APP Protection, Antivirus Cleanup, Chrome Update, InfoWeb, SicurezzaWeb, WebSecurity, WebsInfo, WebInfo, and APKAppScudo. In one example, the malware used the icon for the free AVG AntiVirus & Security tool available on Google Play. During the installation process, the malware requests permission to use the Accessibility Service, which provides advanced features that allow broad control over the device.
Once active, BingoMod steals any login credentials, takes screenshots, and reads SMS messages. To perform on device fraud (ODF), the malware creates a socket-based channel to receive commands and an HTTP-based channel to send screenshot feeds, thereby enabling near real-time remote operations. ODF is a common technique used to initiate criminal transactions from a victim’s device, circumventing standard anti-fraud systems that rely on identity verification and authentication. Cleafy researchers explain the Virtual Network Computing (VNC) activity abusing Android’s Media Projection API to obtain screen content in real-time.
Once received, the content is converted into a suitable format and transmitted via HTTP to the cybercriminal or threat actor’s infrastructure. One of the features of this activity is that it can leverage Accessibility Services to impersonate users and enable screen-casting requests, which are exposed by the Media Projection API. Commands that a remote operator can send to BingoMod include clicking on certain areas, writing text on certain input elements, and launching applications. This malware also enables manual overlay attacks via fake notifications initiated by cybercriminals. Additionally, devices infected with BingoMod can also be used to further spread malware via SMS.