New Android malware wipes your device after draining bank accounts

By 

Bill Toulas

 

• July 31, 2024
 
• 12:23 PM
 
• 0

A new Android malware that researchers call 'BingoMod' can wipe devices after successfully stealing money from the victims' bank accounts using the on-device fraud technique.

Promoted through text messages, the malware poses as a legitimate mobile security tool and can steal up to 15,000 EUR per transaction.

According to researchers analyzing it, BingoMod is currently under active development, with its author focusing on adding code obfuscation and various evasion mechanisms to drop detection rate.

00:17

02:12

Read More

BingoMod details

Researchers at Cleafy, an online fraud management and prevention solution, found that BingoMod is distributed in smishing (SMS phishing) campaigns and uses various names that typically indicate a mobile security tool (e.g. APP Protection, Antivirus Cleanup, Chrome Update, InfoWeb, SicurezzaWeb, WebSecurity, WebsInfo, WebInfo, and APKAppScudo).

In one instance, the malware uses the icon for the free AVG AntiVirus & Security tool available on Google Play.

During the installation routine, the malware requests permission to use Accessibility Services, which provides advanced features that allow extensive control of the device.

Once active, BingoMod steals any login credentials, takes screenshots, and intercepts SMS messages.

To perform on-device fraud (ODF), the malware establishes a socket-based channel to receive commands and an HTTP-based channel to send a feed of screenshots, enabling almost real-time remote operation.

Virtual Network Computing (VNC) mechanism and data exchange
Source: Cleafy

ODF is a common technique used for initiating fraudulent transactions from the victim's device, which fools standard anti-fraud systems that rely on identity verification and authentication.

Cleafy researchers explain in a report today that "the VNC routine abuses Android's Media Projection API to obtain real-time screen content. Once received, this is transformed into a suitable format and transmitted via HTTP to the TAs' [threat actor's] infrastructure."

One feature of the routine is that it can leverage Accessibility Services "to impersonate the user and enable the screen-casting request, exposed by the Media Projection API."

BingoMod's VNC routing
Source: Cleafy

The commands that the remote operators can send to BingoMod include clicking on a particular area, writing text on a specified input element, and launching an application.

The malware also allows manual overlay attacks through fake notifications initiated by the threat actor. Additionally, a device infected with BingoMod could also be used to further spread the malware through SMS.

Disabling defenses and wiping data

BingoMod can remove security solutions from the victim's device or block activity of apps that the threat actor specifies in a command.

To evade detection, the malware's creators have added code-flattening and string obfuscation layers, which, based on scan results on VirusTotal, achieved the intended goal.

VirusTotal scan results
Source: Cleafy

If the malware is registered on the device as a device admin app, the operator can send a remote command to wipe the system. According to the researchers, this function is executed only after a successful transfer and impacts only the external storage.

Data wiping routine
Source: Cleafy

For a complete wipe, it is possible that the threat actor uses the remote access capability to erase all data and reset the phone from the system settings.

Although BingoMod is currently at version 1.5.1, Cleafy says that it appears to be in an early development stage.

Based on the comments in the code, the researchers believe that BingoMod may be the work of a Romanian developer. However, it is also possible that developers from other countries are contributing.

Meta settles with Texas for $1.4billion over biometrics data collection

 Jul 31, 2024Ravie Lakshmanan

Meta, the parent company of Facebook, Instagram, and WhatsApp, agreed to a record $1.4 billion settlement with the U.S. state of Texas over allegations that it illegally collected biometric data of millions of users without their permission, marking one of the largest penalties levied by regulators against the tech giant.

"This historic settlement demonstrates our commitment to standing up to the world's biggest technology companies and holding them accountable for breaking the law and violating Texans' privacy rights," Attorney General Ken Paxton said. "Any abuse of Texans' sensitive data will be met with the full force of the law."

The development arrived more than two years after the social media behemoth was sued for unlawfully capturing facial data belonging to Texas without their informed consent as is required by the law. The Menlo Park-based company, however, did not admit to any wrongdoing.

Tag Suggestions, as the feature was originally called when it was introduced in 2010, was marketed as a way for users to easily tag photos shared on Facebook with the names of people in them. However, it was enabled by default without giving adequate explanation as to how it worked.

The lawsuit accused Meta of violating the state's Capture or Use of Biometric Identifier (CUBI) Act and the Deceptive Trade Practices Act.

"Unbeknownst to most Texans, for more than a decade Meta ran facial recognition software on virtually every face contained in the photographs uploaded to Facebook, capturing records of the facial geometry of the people depicted," according to a press statement from the Attorney General's office.

"Meta did this despite knowing that CUBI forbids companies from capturing biometric identifiers of Texans, including records of face geometry, unless the business first informs the person and receives their consent to capture the biometric identifier."

In November 2021, Meta said it was discontinuing its "Face Recognition" system altogether and deleting a huge collection of more than a billion users' facial recognition templates as part of a wider initiative to limit the use of the technology across its products.

That same year, it agreed to pay a $650 million settlement in a 2015 class-action lawsuit in Illinois under the Biometric Information Privacy Act (BIPA) over similar allegations related to its face-tagging system.

Meta is not the only party being targeted by Texas over the collection of biometric data. The state also sued Google in October 2022 for allegedly violating the same biometric privacy law by gathering voice and facial data through products like Google Photos, Google Assistant, and Nest Hub Max. The case is currently underway.

India linked sidewinder group pivots to hacking maritime targets

 India-Linked SideWinder Group Pivots to Hacking Maritime Targets

The nation-state espionage group known for attacking Pakistan has expanded its reach to targets in Egypt and Sri Lanka.

Robert Lemos, Contributing Writer

July 31, 2024

4 Min Read

SOURCE: PAPILIO VIA ALAMY

A nation-state cyber-espionage group linked to India has broadened its targeting beyond regional rivals in Pakistan, Afghanistan, China, and Nepal and is focused on compromising computers and networks at maritime facilities in countries as far away as the Mediterranean Sea.

The group — known variously as SideWinder, Razor Tiger, and Rattlesnake — commonly wages spear-phishing attacks using images of official-looking documents. In its latest campaigns, SideWinder has falsified documents from specific ports, including the Port of Alexandria in Egypt, with high-interest topics such as job termination and salary reductions, researchers from BlackBerry said in a newly published advisory.

While the group has typically focused on rivals closer to home and is less prolific than other cyber spies, the current campaign suggests that they have expanded their targeting, says Ismael Valenzuela, vice president of threat research and intelligence at BlackBerry.

"It's the first time we have seen SideWinder targeting ports and maritime facilities in EMEA," he says. "We see a lot of geopolitical turbulence and [changing] environments across the globe on a variety of issues. This often galvanizes threat groups and state-sponsors to specifically strike down critical assets, like those within the maritime industry."

The maritime industry increasingly has become a target of cyberattacks, posing serious danger to ships and ports. In 2019, the US Coast Guard warned shipping companies that attacks on their systems could lead to accidents and catastrophes. In the past year, following increased Chinese cyber operations against critical infrastructure including maritime systems in and around the South China Sea, various countries in the Asia-Pacific region have banded together to protect their networks and systems.

The cyber warnings also come as physical threats to shipping increase as well. Piracy off the Atlantic coast of Africa and the Arabian Sea, and among the island nations of the Asia-Pacific, has escalated, while ship malfunctions — such as the one the caused a vessel to collide with the Baltimore bridge — have become more frequent.

New Phishing Lures, Old Exploits

SideWinder has conducted attacks since at least 2012. The group is relatively sophisticated, commonly using encrypted malware samples, various obfuscation techniques, and running code in memory to avoid file scanners, according to a presentation at Black Hat Asia in 2022. From 2020 to 2022, the group conducted more than 1,000 attacks, Noushin Shabab, senior security researcher with Kaspersky, said during that presentation.

"I think what truly makes them stand out among other APT [advanced persistent threat] actors is the large tool set they have with many different malware families, lots of new spear-phishing documents, and a very large infrastructure," Shabab said. "I haven't seen 1,000 attacks from a single APT" from another group thus far.

However, the current cyberattacks are, in many cases, using older vulnerabilities, such as a flaw in Microsoft Office dating back to 2017. The vulnerability (CVE-2017-0199) allows remote code execution against old versions of Microsoft Office and Windows, and has been a very popular vector of attack, with more than 5,600 malware samples exploiting the issue this year, including 15 malicious samples reported from Egypt, according to BlackBerry.

Like most groups, SideWinder does not like to waste a good exploit, even if it's seven years old, says Valenzuela.

"Why do we still see old CVEs like these exploited in the wild? Attackers know that many organizations don’t patch their Office software for many years," he says. "This is especially common in organizations with legacy systems, which are often used in ports and maritime facilities as well as other critical infrastructure."

BlackBerry documented the use of another very popular — and seven-year-old — vulnerability, in the Microsoft Office Equation Editor (CVE-2017-11882), with more than 9,500 samples of Office documents exploiting the issue since the start of 2024. Both of these vulnerabilities have made the Known Exploited Vulnerabilities list maintained by the Cybersecurity and Infrastructure Security Agency (CISA).

Maritime Under Attack

BlackBerry's threat researchers discovered a variety of domains in the first and second stages of the attack that are likely evidence of their targets, including a long list in South Asia including Pakistan, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives. Egyptian ports appear to be the only target outside of India's extended neighborhood.

While the country appears to be extending its reach to other regions of the world, the cyber operations are not actually targeting ports on a global scale, Valenzuela says.

"They’re certainly targeting ports in key countries where this threat actor has geopolitical interests, and that includes the Indian Ocean and the Mediterranean, [such as] Egypt," he says. "We don’t have information about other targets in the Mediterranean Sea at this time."

The researchers have not captured the final payload in the attacks, but based on the group's previous actions, they believe the goal is intelligence-gathering and cyber espionage, the company stated in its advisory.