This Android SMS phishing campaign steals your money AND wipes your data
The Dark Side of technology has once again shown its ugly face: there's an Android malware that can delete all your phone's data after draining your bank accounts.
It's called "BingoMod" by researchers, a report from the cyber security-oriented site BleepingComputer reads.
The malware is spread through text messages (SMS), pretending to be a real mobile security tool, and can steal up to €15,000 (over $16,000) per transaction.
Researchers say that "BingoMod" is still being developed, with the creator working on making it harder to detect by adding code obfuscation and other evasion techniques.
The malware was discovered by researchers at Cleafy, a company that specializes in online fraud prevention. It is spread through SMS phishing campaigns and often uses names that suggest it's a mobile security tool (like APP Protection, Antivirus Cleanup, Chrome Update, etc.).
When installed, the malware asks for permission to use Accessibility Services, which gives it extensive control over the device.
Once active, "BingoMod" can steal login information, take screenshots, and intercept text messages.
To commit on-device fraud (ODF), the malware sets up a channel to receive commands and send screenshots in real time, making it appear as if the victim is performing the actions.
This technique helps bypass standard anti-fraud systems that rely on identity verification.
Cleafy researchers reported that "the VNC routine abuses Android's Media Projection API to obtain real-time screen content. Once received, this is transformed into a suitable format and transmitted via HTTP to the TAs' [threat actor's] infrastructure."
The malware can impersonate the user to enable screen-sharing requests using Accessibility Services.
Remote operators can send commands to "BingoMod" to click on specific areas, enter text, or launch apps. They can also launch fake notifications to trick the user and spread the malware through SMS.
"BingoMod" can remove security apps from the device or block specific apps as commanded by the attacker.
To avoid detection, the creators have added code-flattening and string obfuscation, making it harder to identify.
If registered as a device admin app, the malware can be remotely commanded to wipe the device. This feature is only used after successfully transferring money and affects only external storage. For a complete wipe, the attacker might use remote access to reset the phone.
"BingoMod" is currently at version 1.5.1, but researchers believe it is still in early development.
So, dear PhoneArena readers, be extra alert and cautious!
It's called "BingoMod" by researchers, a report from the cyber security-oriented site BleepingComputer reads.
The malware is spread through text messages (SMS), pretending to be a real mobile security tool, and can steal up to €15,000 (over $16,000) per transaction.
The malware was discovered by researchers at Cleafy, a company that specializes in online fraud prevention. It is spread through SMS phishing campaigns and often uses names that suggest it's a mobile security tool (like APP Protection, Antivirus Cleanup, Chrome Update, etc.).
In some cases, the malware even uses the icon of the free AVG AntiVirus & Security app from Google Play.
When installed, the malware asks for permission to use Accessibility Services, which gives it extensive control over the device.
Once active, "BingoMod" can steal login information, take screenshots, and intercept text messages.
To commit on-device fraud (ODF), the malware sets up a channel to receive commands and send screenshots in real time, making it appear as if the victim is performing the actions.
This technique helps bypass standard anti-fraud systems that rely on identity verification.
Cleafy researchers reported that "the VNC routine abuses Android's Media Projection API to obtain real-time screen content. Once received, this is transformed into a suitable format and transmitted via HTTP to the TAs' [threat actor's] infrastructure."
The malware can impersonate the user to enable screen-sharing requests using Accessibility Services.
Remote operators can send commands to "BingoMod" to click on specific areas, enter text, or launch apps. They can also launch fake notifications to trick the user and spread the malware through SMS.
To avoid detection, the creators have added code-flattening and string obfuscation, making it harder to identify.
If registered as a device admin app, the malware can be remotely commanded to wipe the device. This feature is only used after successfully transferring money and affects only external storage. For a complete wipe, the attacker might use remote access to reset the phone.
"BingoMod" is currently at version 1.5.1, but researchers believe it is still in early development.
Things that are NOT allowed: