A new Android malware currently making the rounds is about as terrifying as any we’ve seen in recent months. Researchers from Cleafy Labs say that they analyzed a previously undiscovered Android remote administration tool (RAT) in May which they later dubbed BingoMod. The goal of the malware is to initiate money transfers on Android devices, but BingoMod has one more trick up its sleeve: It can wipe all your data once it’s done.
BingoMod works similarly to other Android malware families we have covered recently. First, the victim is tricked into installing a malicious app posing as legitimate antivirus software. Following the installation, BingoMod prompts the user to give the app access to Accessibility Services. If the user does so, the APK unpacks itself and executes its malicious payload.
After that, BingoMod begins running in the background and attempting to steal user credentials by using keylogging and SMS interception. Once the hackers have the data they need, they can take over a device and begin initiating money transfers.
In order to protect itself, BingoMod makes it difficult to edit system settings on the user’s device, blocks the activity of specific apps, and even uninstalls other apps if necessary.
But, as Cleafy explains, BingoMod has another surefire way to avoid detection:
BingoMod’s most notable security measure is its ability to wipe the device remotely with a dedicated command. This feature can be implemented by BingoMod when it is a device administrator and is typically executed after a successful fraud.
However, this functionality is limited to the device’s external storage only, so we speculate that the complete wipe is performed by [threat actors] directly from the device’s system settings, leveraging BingoMod’s remote access capabilities.
While Cleafy researchers admit that BingoMod isn’t as sophisticated as other infamous Android trojans, such as the banking malware SharkBot, they still warn that BingoMod “poses significant risks to end-users and financial institutions due to the potential for substantial economic loss and the disruption of personal data security.”
UPDATE | August 2: A Google spokesperson reached out with the following statement: “Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”