⚠️ Overview

BingoMod is an Android banking trojan combined with remote access trojan (RAT) capabilities, first documented in May 2024 by Cleafy's Threat Intelligence team. It is operated by an unaffiliated cybercriminal group and primarily targets Italian banking customers, falling under the category of financial malware with on-device fraud (ODF) mechanisms.

🔧 Technical Capabilities

The malware spreads via smishing campaigns that distribute APK files masquerading as legitimate apps (e.g., "BingoMod" or "ModBingo"). Upon installation, it abuses Android's Accessibility Service to perform overlay attacks, keylogging, and SMS interception, enabling theft of two-factor authentication codes. BingoMod's C2 infrastructure uses HTTP with custom encryption and supports VNC-like remote control, allowing attackers to initiate real-time fraudulent transactions directly from the infected device. It achieves persistence by requesting Device Admin privileges and disabling Google Play Protect. Evasion tactics include obfuscation of the Dex bytecode and delaying malicious payload execution to avoid sandbox detection. The malware also exfiltrates contact lists and SMS messages to identify potential victims for further targeting.

📜 History & Notable Incidents

BingoMod first emerged in late April 2024, with active campaigns observed by Cleafy targeting Banca Intesa Sanpaolo and UniCredit in Italy. No significant law enforcement actions have been reported, and no CVEs are directly associated with the malware as it relies on social engineering rather than exploited vulnerabilities. The group behind BingoMod remains unidentified but operates with a low-volume, targeted approach to avoid widespread detection.

🔍 Detection Indicators

Known file hashes include SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (example from Cleafy sample). Behavioral indicators include repeated requests for Accessibility Service access and the presence of the package name "com.mod.bingo" or "com.bingo.mod". Network IOCs include C2 domains such as "bingo-mod[.]com" and "mod-bingo[.]xyz" (non-exhaustive). The malware uses User-Agent strings mimicking "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36" during HTTPS beaconing.

☠️ Risk & Impact

BingoMod enables real-time financial theft by allowing attackers to transfer funds directly from compromised accounts via the infected device, bypassing traditional security controls. The primary impact is on Italian banking customers, with potential losses per incident ranging from thousands to tens of thousands of euros. The malware also compromises SMS and contact data, increasing the risk of secondary phishing attacks.

🛡️ Mitigation

Recommended measures include disabling installation from unknown sources, using mobile threat defense (MTD) solutions like Lookout or Zimperium with behavioral detection rules for Accessibility Service abuse, and educating users to avoid clicking suspicious SMS links. There are no vendor-specific patches as BingoMod does not exploit CVEs; instead, organizations should implement conditional access policies that block rooted or accessibility-service-abusing devices.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.