BingoMod¶
BingoMod is an Android remote access trojan (RAT) focused on on-device fraud and post-fraud evidence destruction. Cleafy discovered the family in July 2024, identifying active campaigns dating back to late May 2024. BingoMod combines VNC-like remote access with overlay attacks, approximately 40 C2 commands, and a device-wiping capability reminiscent of BRATA's factory reset kill switch. Distributed through smishing campaigns disguised as antivirus or mobile security applications, BingoMod performs Account Takeover (ATO) via on-device fraud, then wipes the victim's device to destroy forensic evidence. Romanian-language comments found throughout the source code suggest the developers may be Romanian, though attribution remains unconfirmed.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | Late May 2024 |
| Status | Active, under development |
| Type | Banking RAT, on-device fraud |
| Attribution | Possibly Romanian developers (Romanian code comments) |
| Distribution | Smishing, fake antivirus/security apps |
Origin and Lineage¶
BingoMod does not share a direct code lineage with any known Android banking trojan family. Cleafy's analysis identified it as an independently developed project. However, the malware borrows operational concepts from established families:
| Concept | Precedent |
|---|---|
| Device wiping after fraud | BRATA introduced factory reset as evidence destruction in January 2022 |
| VNC-like remote access | Octo, Hook, and other device-takeover trojans use screen streaming for ODF |
| Overlay attacks | Standard technique across the banking trojan ecosystem |
| Fake security app distribution | Common distribution theme used by BRATA and others |
The device-wiping capability is the most notable borrowed concept. BRATA first deployed factory reset as evidence destruction in 2022, and its descendant Copybara continued the approach. BingoMod independently implements the same strategy, suggesting the developers studied existing families and incorporated proven techniques.
Romanian-language code comments throughout the source provide a potential attribution lead. The comments appear in variable names, function descriptions, and inline annotations, suggesting the primary developer writes in Romanian rather than using a translation tool.
Distribution¶
BingoMod distributes exclusively through smishing campaigns. The lures consistently impersonate mobile security or antivirus applications.
| Vector | Details |
|---|---|
| Smishing | SMS messages with links to download fake security apps |
| Fake antivirus apps | APKs disguised as mobile security tools, antivirus scanners, or Chrome updates |
| App icons | Uses icons from legitimate security apps to appear trustworthy |
Lure Themes¶
Cleafy documented several app names used in distribution:
| Fake App Name | Impersonation |
|---|---|
| APP Protection | Generic antivirus |
| Antivirus Cleanup | Security scanner |
| Chrome Update | Browser update |
| InfoWeb | Utility app |
| SicurezzaWeb | Italian security app |
| WebSecurity | Security tool |
| WebsInfo | Information utility |
| WebInfo | Information utility |
The variety of names suggests active experimentation with lure themes. The inclusion of Italian-language app names ("SicurezzaWeb") alongside English ones indicates targeting of both Italian and English-speaking users.
Capabilities¶
Core Features¶
| Capability | Implementation |
|---|---|
| VNC-like remote access | Real-time screen streaming and remote interaction via accessibility service |
| Overlay attacks | Credential phishing overlays displayed over target banking apps |
| SMS interception | Reads, intercepts, and forwards SMS for OTP capture |
| Device wiping | Factory resets or wipes external storage after successful fraud |
| Keylogging | Accessibility-based keystroke capture |
| Screen capture | Screenshots of active applications |
| Notification interception | Monitors and suppresses notifications |
| App management | List installed apps, launch specific applications |
On-Device Fraud (ODF)¶
BingoMod performs Account Takeover through on-device fraud. The operator connects to the victim's device via the VNC-like remote access channel and directly interacts with the victim's banking application:
- Operator initiates remote session via C2
- Accessibility service provides real-time screen content to the operator
- Operator navigates to banking app and initiates wire transfer
- SMS interception captures any OTP sent by the bank
- Operator completes the transaction using captured OTP
- Device wipe command sent after successful transfer
Device Wiping¶
The device-wiping capability serves two purposes: evidence destruction and victim confusion. After a successful fraudulent transfer, BingoMod can:
- Perform a factory reset of the device (requires device admin privileges)
- Wipe external storage contents
This destroys the malware itself along with any forensic artifacts on the device. The victim is left with a wiped phone and must recover their device before they can check their bank account, buying the attacker time to move stolen funds through money mule networks.
C2 Command Set¶
Cleafy identified approximately 40 distinct C2 commands, spanning:
| Category | Commands |
|---|---|
| Remote control | Screen streaming, tap, swipe, text input, gesture simulation |
| Data theft | SMS reading, contact exfiltration, app listing |
| Fraud support | Overlay injection, notification interception, OTP capture |
| Persistence | Disable battery optimization, prevent uninstallation |
| Evidence destruction | Factory reset, storage wipe |
| Device management | Lock screen, mute audio, launch apps |
Technical Details¶
Accessibility Abuse¶
BingoMod depends on Android's accessibility service for its core functionality:
| Function | Accessibility Usage |
|---|---|
| Screen streaming | Captures screen content for operator viewing |
| Remote input | Simulates taps, swipes, and text entry |
| Overlay triggering | Detects foreground application changes |
| Keylogging | Records input across all applications |
| Permission auto-granting | Automatically approves runtime permission dialogs |
| Uninstall prevention | Intercepts and dismisses settings/uninstall navigation |
Anti-Analysis¶
BingoMod implements several anti-analysis techniques, with Cleafy noting that this area is under active development:
| Technique | Implementation |
|---|---|
| Code obfuscation | Flattened code structure to complicate static analysis |
| String encryption | Sensitive strings encrypted and decrypted at runtime |
| Dynamic payloads | Overlay pages and configuration retrieved from C2 post-install |
| Emulator detection | Checks for virtual environment indicators |
The "under development" characterization from Cleafy indicates that BingoMod's authors are actively investing in evasion. Future versions are likely to incorporate more sophisticated anti-analysis measures as the malware matures.
C2 Communication¶
BingoMod uses socket-based communication for real-time remote control sessions alongside HTTP for registration and data exfiltration:
| Protocol | Usage |
|---|---|
| HTTP | Bot registration, configuration retrieval, data upload |
| Socket | Real-time remote control sessions, screen streaming |
Target Regions¶
| Region | Evidence |
|---|---|
| Italy | Italian-language lure app names ("SicurezzaWeb"), overlay targets |
| Europe (broader) | English-language lures suggesting wider European targeting |
Cleafy's analysis identified Italian-language fake app names and banking overlay targets consistent with Italian financial institutions. English-language lure themes indicate the operators are also targeting or planning to target English-speaking markets. The active development status suggests geographic expansion is likely.
Notable Campaigns¶
Late May 2024: BingoMod campaigns begin. The malware distributes through smishing with fake antivirus and security app lures. Cleafy identifies multiple APK variants using different app names and icons to impersonate security tools.
July 2024: Cleafy publishes the full technical analysis of BingoMod, documenting the VNC-like remote access, ~40 C2 commands, device-wiping capability, and Romanian code comments. The publication highlights BingoMod as an active threat under continued development with growing anti-analysis capabilities.
Related Families¶
BingoMod's device-wiping behavior directly parallels BRATA, which introduced factory reset as evidence destruction in January 2022. Cleafy documented BRATA's byebye_format command that wiped devices after completing fraudulent wire transfers. BingoMod implements the same concept independently. Copybara, which evolved from the BRATA ecosystem, also retains aspects of this destructive approach.
The VNC-like remote access capability places BingoMod in the same operational category as Octo (MediaProjection-based screen streaming), Hook (VNC + accessibility remote control), and Vultur (AlphaVNC-based screen streaming). All of these families perform on-device fraud by giving operators real-time interactive access to the victim's device rather than relying solely on overlay attacks for credential theft.
BingoMod's distribution through fake security app lures is a pattern shared with earlier BRATA campaigns, where McAfee documented variants on Google Play posing as app security scanners.