{
	"id": "ab5eedd1-31e7-41c3-93b5-e49f18ebfe02",
	"created_at": "2026-04-06T00:13:00.470468Z",
	"updated_at": "2026-04-10T03:20:24.35117Z",
	"deleted_at": null,
	"sha1_hash": "256a9132e90bde1d50a7786124da592249bee5b7",
	"title": "BingoMod: The new android RAT that steals money and wipes data",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4622966,
	"plain_text": "BingoMod: The new android RAT that steals money and wipes data\r\nBy Alessandro Strino, Simone Mattia\r\nArchived: 2026-04-05 20:16:56 UTC\r\nKey Points\r\nAt the end of May 2024, the Cleafy TIR team discovered and analysed a new Android RAT. Since we didn't find\r\nreferences to any known families, we decided to dub this new family BingoMod.\r\nThe main goal of BingoMod is to initiate money transfers from the compromised devices via Account Takeover\r\n(ATO) using a well-known technique, called On Device Fraud (ODF). It aims to bypass bank countermeasures\r\nused to enforce users’ identity verification and authentication, combined with behavioural detection techniques\r\napplied by banks to identify suspicious money transfers.\r\nAfter installation on the victim’s device, BingoMod leverages various permissions, including Accessibility\r\nServices,  to quietly steal sensitive information, including credentials, SMS messages, and current account\r\nbalances. In addition, the malware is equipped with active features that allow it to conduct overlay attacks and\r\nremotely access the compromised device using VNC-like functionality.\r\nAfter a successful fraudulent transfer, the infected device is typically wiped, removing any traces of BingoMod\r\nactivity to hinder forensic investigations.\r\nAnother interesting element that emerged during the BingoMod investigation is related to target devices, which\r\ninclude three languages: English, Romanian, and Italian.\r\nAt the time of writing, BingoMod is in a development phase, where developers are experimenting with\r\nobfuscation techniques to lower its detection rate against AV solutions. From the whole sample collected, what\r\nhas emerged is the will to try multiple anti-analysis configurations rather than making the malware more complex\r\nin terms of functionalities.\r\nAccording to the comments identified within the malware code, developers may be Romanian speakers.\r\nExecutive Summary\r\nAt the end of May 2024, a new Android RAT appeared in Cleafy’s telemetries.\r\nDue to the lack of information and the absence of a proper nomenclature for this malware family, we decided to dub it\r\nBingoMod to track it inside our Threat Intelligence taxonomy. This nomenclature is based on the malware's core\r\ncomponent, known at an early stage as “ChrUpdate” but later renamed “BingoMod”.\r\nBingoMod belongs to the modern RAT generation of mobile malware, as its remote access capabilities allow Threat\r\nActors (TAs) to conduct Account Takeover (ATO) directly from the infected device, thus exploiting the On Device\r\nFraud (ODF) technique. This consolidation of this technique has already been seen recently by other banking trojans,\r\nsuch as Medusa, Copybara, and Teabot.\r\nThese techniques have several advantages: they require less skilled developers, expand the malware's target base to any\r\nbank, and bypass various behavioural detection countermeasures put in place by multiple banks and financial services.\r\nHowever, this advantage does not come for free, one of the drawbacks of this technique relies on a live operator that is\r\nrequired to insert and authorise a money transfer, which implicitly means lowering its scale factor.\r\nhttps://www.cleafy.com/cleafy-labs/bingomod-the-new-android-rat-that-steals-money-and-wipes-data\r\nPage 1 of 14\n\nBingoMod is similar to the Brata's operation model in using device wiping after a successful fraudulent transfer. This\r\nself-destruction mechanism is designed to eradicate any trace of BingoMod's activity on the infected device, effectively\r\nhindering forensic analysis and making it more challenging for researchers to identify and attribute incidents. This tactic\r\nis relatively rare in the Android landscape, suggesting that the developers of BingoMod could be aware of Brata's\r\nmethods and have incorporated them into their methodology.\r\nMoreover, it's also worth mentioning that this sample is in its early stage of development, and it's still hard to predict\r\nwhich direction will be taken. However, the developers’ commitment to attempting obfuscation techniques underlines\r\ntheir intention to pursue a more opportunistic approach than a tailored one already seen in malware like SharkBot or\r\nGustuff.\r\nThe following table represents a summary of the TTP behind BingoMod campaigns:\r\nFirst Evidence May 2024\r\nState Active (July 2024)\r\nAffected Entities Retail banking\r\nTarget OSs Android Devices\r\nTarget Countries IT\r\nInfected Chain Social Engineering (smishing) -\u003e Side-loading\r\nFraud Scenario On-Device Fraud (ODF)\r\nPreferred Cash-Out Instant/SEPA transfer\r\nAmount handled (per transfer) Up to 15K EUR\r\nAll detected samples provided in the Appendix are disguised as legitimate security tools to protect the device.\r\nFigure 1 - Common decoy used by BingoMod\r\nhttps://www.cleafy.com/cleafy-labs/bingomod-the-new-android-rat-that-steals-money-and-wipes-data\r\nPage 2 of 14\n\nTechnical Analysis\r\nAs previously mentioned, the malicious app is distributed via smishing and often masquerades as a legitimate antivirus\r\napplication.  After installation on the victim's device, BingoMod prompts the user to activate Accessibility Services,\r\ndisguising the request as necessary for the app to function correctly. If the user grants the requested permissions, the\r\nAPK begins to unpack itself, executing its malicious payload. Once the operation is completed, the apps still lock out\r\nthe user from the main screen to collect device information and set up the C2 communication channel.\r\nFigure 2 - Starting phase of BingoMod\r\nAfter activation, BingoMod's background functions act, aiming to provide sensitive data to the actors behind the\r\nmalware. In detail, two features typical of banking Trojans are used:\r\nKey-logging: This function exploits the Accessibility Services to steal sensitive information displayed on the\r\ndevice screen or entered by the user, such as login credentials or account balances.\r\nSMS interception: This function starts monitoring SMS messages, often used by financial institutions for\r\ntransaction authentication numbers (TANs).\r\nhttps://www.cleafy.com/cleafy-labs/bingomod-the-new-android-rat-that-steals-money-and-wipes-data\r\nPage 3 of 14\n\nFigure 3 - Keylogging routine\r\nAs mentioned earlier, BingoMod's main objective is to initiate money transfers directly from compromised devices\r\n(ODF). Therefore, the malware implements several remote control functionalities. To do this, BingoMod establishes a\r\nsocket-based connection with the command and control infrastructure (C2) to receive commands that TAs want to\r\nperform on the compromised device.\r\nThe malware provides around 40 remote control functions, among the most relevant are indeed related to the real-time\r\nscreen control that is implemented in the following way:\r\nVNC-like routine: Leveraging Android's Media Projection API, TAs capture screenshots of the victim's device\r\nscreen at regular intervals, giving them a complete overview of what is happening on the screen.\r\nScreen interaction: Leveraging Accessibility Service, BingoMod provides several commands to remotely control\r\nthe infected device screen, allowing TAs to operate the device as if they were physically in front of it. These\r\nfunctionalities include clicking buttons, filling in forms, and navigating between apps.\r\nFor this purpose, BingoMod uses two separate communication channels: a socket-based channel for command\r\ntransmission (in the case of VNC start/stop) and an HTTP-based channel for image transfer.\r\nhttps://www.cleafy.com/cleafy-labs/bingomod-the-new-android-rat-that-steals-money-and-wipes-data\r\nPage 4 of 14\n\nFigure 4 - C2 communication scheme during VNC routine\r\nTo better illustrate this process, we created a simulated C2 infrastructure. This setup includes a socket-based C2 server\r\nfor remote control and an HTTP-based \"VNC\" server to capture and display real-time screenshots the infected device\r\nsends.\r\nFigure 5 - VNC in action (TAs' point of view)\r\nOn the malware side, the VNC routine abuses Android's Media Projection API to obtain real-time screen content. Once\r\nreceived, this is transformed into a suitable format and transmitted via HTTP to the TAs' infrastructure.  An exciting\r\nfeature of the routine is leveraging Accessibility Services to impersonate the user and enable the screen-casting request,\r\nexposed by the Media Projection API.\r\nhttps://www.cleafy.com/cleafy-labs/bingomod-the-new-android-rat-that-steals-money-and-wipes-data\r\nPage 5 of 14\n\nFigure 6 - VNC routine\r\nOnce the VNC-like routine is activated, TAs can interact with the device using dedicated commands. These include, for\r\nexample, opening a specific application (\u003cLAUNCH\u003e), moving to a particular area on the screen (\u003cMOVEAT\u003e), clicking\r\na particular area (\u003cCLICKAT\u003e) or writing in a particular text box (\u003cSETTEXT\u003e).\r\nIn addition to real-time screen control, the malware shows phishing capabilities through Overlay Attacks and fake\r\nnotifications. Unusually, overlay attacks are not triggered when specific target apps are opened but are initiated directly\r\nby the malware operator. Still, in the context of phishing, TAs can also send SMS messages from the compromised\r\ndevice; this functionality can be used to spread the malware further.\r\nFigure 7 - Overlay in action\r\nFinally, the malware implements some security measures to improve its resilience: it hinders editing system settings,\r\nespecially one regarding the malware itself, and can block the activity of specified applications set by the actors via a\r\ndedicated command. If this is not enough, BingoMod can also uninstall arbitrary applications. For instance, this feature\r\ncan be used to prevent security apps from detecting the presence of the malware itself.\r\nAs mentioned earlier, BingoMod's most notable security measure is its ability to wipe the device remotely with a\r\ndedicated command. This feature can be implemented by BingoMod when it is a device administrator and is typically\r\nexecuted after a successful fraud. However, this functionality is limited to the device's external storage only, so we\r\nhttps://www.cleafy.com/cleafy-labs/bingomod-the-new-android-rat-that-steals-money-and-wipes-data\r\nPage 6 of 14\n\nspeculate that the complete wipe is performed by TAs directly from the device's system settings, leveraging BingoMod's\r\nremote access capabilities.\r\nFigure 8 - Wipe Routine\r\nThe entire BingoMod command set is provided in the appendix.\r\nMalware Evolution\r\nIt’s worth considering that from the first sample until now, it has been possible to observe that developers are in an\r\n“experimental” phase, mainly on app obfuscation and packing process that aims to reduce its detection against AV\r\nsolutions instead of equipping their code with advanced capabilities. This change is immediately observable using\r\ndetection engines from VirusTotal, showing that early campaigns were easily detected, whereas the recent one dropped\r\ntheir detection rate.\r\nFigure 9 - Detection rate dropped after obfuscation layers\r\nAs mentioned, functions and classes stayed mostly the same over time. However, the obfuscation employed lowers the\r\noverall detection rate. The figure below gives a code example that refers to the hiddenVNC procedure, where the\r\nmalware is sending a screenshot to the C2, simulating a live stream.\r\nhttps://www.cleafy.com/cleafy-labs/bingomod-the-new-android-rat-that-steals-money-and-wipes-data\r\nPage 7 of 14\n\nFigure 10 - Code comparison between early and newer versions of BingoMod\r\nIn the upper part of this image, we can see an early version of the sample. Aside from some variable renaming, the\r\noverall code is understandable. However, the same function appears to be heavily obfuscated using code-flattening and\r\nstring obfuscation techniques. After tweaking the code to resolve the switches, the overall structures are the same,\r\nstrengthening the hypothesis that TAs rely on obfuscation over malware complexity.\r\nMoreover, it’s worth comparing different code versions to analyse their changes when discussing malware evolution. As\r\nshown in Figure 11, there were no significant changes in the overall structure and functionality. However, an\r\nasynchronous callback mechanism has been introduced in the PingUtil class to send \"alive\" signals to the C2 server,\r\ngiving information about the bot's status.\r\nFigure 11 - Class name comparison between the earlier malicious BingoMod packages and newer versions\r\nhttps://www.cleafy.com/cleafy-labs/bingomod-the-new-android-rat-that-steals-money-and-wipes-data\r\nPage 8 of 14\n\nAnother evidence confirming its developmental stage is the amount of log information left within the code. It is worth\r\nmentioning that although some comments have been deleted in future releases, some still refer to older package names.\r\nFor instance, in release 1.4.3b, references to package names from the first version (1.0) are still visible.\r\nAnother interesting element that emerged during the BingoMod investigation is related to target devices, which include\r\nthree languages: English, Romanian, and Italian, here disguised as com.\r\nFigure 12 - Switches to select the proper language device\r\nHowever, it is possible to observe that the Romanian language is mixed with English words. For the Italian language, it\r\nhas also been observed with a few typos. Those strings and the general code could be another sign that those versions are\r\nstill in their “debug” phase.\r\nAttribution\r\nDetails retrieved during the investigation led us to several speculations about the developers. For instance, some\r\ncomments are in Romanian, but these comments have been removed in more recent versions. This suggests that the TAs\r\nhave evolved, possibly incorporating developers from different countries, or they are trying to reduce indicators that can\r\nlead further LEA investigation to a specific region.\r\nhttps://www.cleafy.com/cleafy-labs/bingomod-the-new-android-rat-that-steals-money-and-wipes-data\r\nPage 9 of 14\n\nFigure 13 - Romanian comments left in the code\r\nMoreover, a recent campaign involving version 1.4.3b was uploaded to VirusTotal from an IP address geolocating to the\r\nRomanian region. While this behaviour is plausible, it strengthens suspicions about active campaigns and areas involved\r\nin their attack.\r\nFigure 14 - Suspicious upload of BingoMod from Romanian country\r\nConclusion\r\nBingoMod shows relatively straightforward functionalities commonly found in most contemporary RAT, such as\r\nHiddenVNC for remote control and SMS suppression to intercept and manipulate communication and logging user\r\ninteractions to steal sensitive data. The emphasis on obfuscation and unpacking techniques suggests that the developers\r\nmay lack the sophistication or experience of more advanced malware authors. This is evident in their reliance on basic\r\nobfuscation methods and the minimalistic approach to developing the malware’s functionalities. It is plausible that the\r\ndevelopers aimed to quickly produce a functional piece of malware, prioritising speed over complexity.\r\nOne notable aspect of this malware is its device-wiping capability, triggered after a fraudulent transaction. This\r\nbehaviour is reminiscent of the Brata malware, which also employed device-wiping to cover its tracks and hinder\r\nforensic analysis. However, the simplicity and rudimentary nature of the code suggests that this feature is more of an\r\neasy exit strategy rather than an indication of any direct lineage or connection to Brata. This action further supports the\r\ntheory that the developers opted for straightforward and efficient methods to achieve their goals without delving into\r\nhttps://www.cleafy.com/cleafy-labs/bingomod-the-new-android-rat-that-steals-money-and-wipes-data\r\nPage 10 of 14\n\nmore complex development practices. Compared to more sophisticated threats such as Sharkbot, which incorporates an\r\nAutomatic Transfer System (ATS) to automate fraudulent transactions, this malware needs to improve in terms of\r\nadvanced capabilities.\r\nThe lack of automated components implies that scaling this approach would be challenging, as it requires direct operator\r\ninteraction to perform Account Takeover (ATO) activities. This direct interaction often involves manipulating the victim\r\nor their device in real time, limiting the scale of potential attacks and exposing the operators to a higher risk of detection.\r\nThe reliance on manual intervention underscores the limited technical capabilities behind this malware and indicates that\r\nit operates within a more traditional fraud paradigm. Interestingly, the current trend among mobile banking trojans,\r\nexemplified by threats like Copybara and Medusa, focuses on On-Device Fraud (ODF) through ATO. This shift\r\nhighlights a broader trend within the malware landscape where the emphasis is placed on exploiting the device to\r\nconduct fraudulent activities rather than developing highly automated systems. The analysed malware aligns with this\r\ntrend, focusing on direct interaction with the victim's device to carry out its malicious objectives. This approach, while\r\nless sophisticated, still poses significant risks to end-users and financial institutions due to the potential for substantial\r\neconomic loss and the disruption of personal data security.\r\nAppendix 1: Indicator of Compromise (IoC)\r\nMD5 Version App Name Package Name\r\n8b173081ea73ee0ed223d5703bb5fcd1\r\n1\r\nAPP Protection\r\ncom.djokovic.chromeupdate\r\nbb8a2e045fdc2017b2171ff57286b05c Antivirus Cleanup\r\n3f6dfc31e152d39d52388ec7673f64d5\r\nChrome Update\r\nbd1f1a2e8ff984ce6d795d025bbccdb1\r\n41d1d5e16df294a24e36fd735076ef93\r\n38dc0f70fa3c76b28ba5ad06d84a3e08\r\nbdbec1c7c816b61b4ef9c76804d18f47\r\n7574c1cc849108f911652571a73e2447 InfoWeb com.coffeestainstudios.goatsimulator\r\n03b486cc13618d806a79d794ba138b43 SicurezzaWeb\r\ncom.ccandroid.suite\r\ne9a58a77a042986ea5fdfdc6b2a396c0 WebSecurity\r\n5bf85b009e29f0af6218991942f32329\r\nWebsInfo\r\ncom.bimiboo.coloring\r\n802624f4d0169e949bf40b613824d967 com.halfbrick.joyride\r\n1e850e735c649b1f80ba36c7b07a198a 1.1 WebInfo com.tocaboca.tocahairsalon4\r\n60d2350b8f5bd08e05612ed8c894af20\r\n1.4.1b\r\nAPKAPPSCUDO com.danza.perfectarcher\r\nb4156ef9761f51dbac2d1104946dd3a8 com.kanko.negruzzi\r\na29c774dc6dc5f29d603f1b52fcdf241 1.4.3b com.vonation.hitenhit\r\nhttps://www.cleafy.com/cleafy-labs/bingomod-the-new-android-rat-that-steals-money-and-wipes-data\r\nPage 11 of 14\n\nMD5 Version App Name Package Name\r\n2788e87b8760ebdec67bce21899893d2 1.5.1 com.pescado.hitenhit\r\n3534af6660e5ac844167fc3eef00bcc5 1.6.7 com.primo.eternalache\r\n08878948f69846d2217290614b70c151 1.7.1 com.bleuinc.xperinz\r\n75bee41937b00ab466d31bd9e7193b02 1.8.2 com.pelosi.polskaball\r\n516ab57114f204eb24e690f56b9699c1 1.9.4 com.deco.canta\r\nIP Description\r\n101.99.92[.]10 C2 Server\r\n103.155.92[.]11 C2 Server\r\nAppendix 2: Command Sets\r\nVersion\r\n1\r\nVersion\r\n1.4.1b\r\nVersion\r\n1.4.3b\r\nVersion\r\n1.5.1\r\n\u003cACTIVITY\u003e \u003cACTIVITY\u003e \u003cACTIVITY\u003e \u003cACTIVITY\u003e\r\n\u003cBLOCKAPP\u003e \u003cBLOCKAPP\u003e \u003cBLOCKAPP\u003e \u003cBLOCKAPP\u003e\r\n- - - \u003cBLOCKCALL\u003e\r\n\u003cBRIGHTNESS\u003e \u003cBRIGHTNESS\u003e \u003cBRIGHTNESS\u003e \u003cBRIGHTNESS\u003e\r\n\u003cCALLNO\u003e - - -\r\n- \u003cCHECKPERM\u003e \u003cCHECKPERM\u003e \u003cCHECKPERM\u003e\r\n- \u003cCLEARNOT\u003e \u003cCLEARNOT\u003e \u003cCLEARNOT\u003e\r\n\u003cCLICKAT\u003e \u003cCLICKAT\u003e \u003cCLICKAT\u003e \u003cCLICKAT\u003e\r\n\u003cCLICKNODE\u003e \u003cCLICKNODE\u003e \u003cCLICKNODE\u003e \u003cCLICKNODE\u003e\r\n\u003cDRAWVIEW\u003e - - -\r\n\u003cFAKESMS\u003e \u003cFAKESMS\u003e \u003cFAKESMS\u003e \u003cFAKESMS\u003e\r\n\u003cGETADMIN\u003e \u003cGETADMIN\u003e \u003cGETADMIN\u003e \u003cGETADMIN\u003e\r\n\u003cGETNODES\u003e \u003cGETNODES\u003e \u003cGETNODES\u003e \u003cGETNODES\u003e\r\n\u003cGETNOTIFYPERM\u003e \u003cGETNOTIFYPERM\u003e \u003cGETNOTIFYPERM\u003e \u003cGETNOTIFYPERM\u003e\r\nhttps://www.cleafy.com/cleafy-labs/bingomod-the-new-android-rat-that-steals-money-and-wipes-data\r\nPage 12 of 14\n\nVersion\r\n1\r\nVersion\r\n1.4.1b\r\nVersion\r\n1.4.3b\r\nVersion\r\n1.5.1\r\n\u003cGETSMSPERM\u003e \u003cGETSMSPERM\u003e \u003cGETSMSPERM\u003e \u003cGETSMSPERM\u003e\r\n\u003cGETWRITEPERM\u003e \u003cGETWRITEPERM\u003e \u003cGETWRITEPERM\u003e \u003cGETWRITEPERM\u003e\r\n\u003cGRANT\u003e \u003cGRANT\u003e \u003cGRANT\u003e \u003cGRANT\u003e\r\n- \u003cINPUFOCUS\u003e \u003cINPUFOCUS\u003e \u003cINPUFOCUS\u003e\r\n\u003cINPUT\u003e \u003cINPUT\u003e \u003cINPUT\u003e \u003cINPUT\u003e\r\n\u003cLAUNCH\u003e \u003cLAUNCH\u003e \u003cLAUNCH\u003e \u003cLAUNCH\u003e\r\n\u003cLAUNCHA\u003e \u003cLAUNCHA\u003e \u003cLAUNCHA\u003e \u003cLAUNCHA\u003e\r\n\u003cMOVEAT\u003e \u003cMOVEAT\u003e \u003cMOVEAT\u003e \u003cMOVEAT\u003e\r\n\u003cMUTEDEV\u003e \u003cMUTEDEV\u003e \u003cMUTEDEV\u003e \u003cMUTEDEV\u003e\r\n\u003cNOTIFY\u003e \u003cNOTIFY\u003e \u003cNOTIFY\u003e \u003cNOTIFY\u003e\r\n\u003cOPTIMISATIONPERM\u003e \u003cOPTIMISATIONPERM\u003e \u003cOPTIMISATIONPERM\u003e \u003cOPTIMISATIONPERM\u003e\r\n\u003cOV\u003e \u003cOV\u003e \u003cOV\u003e \u003cOV\u003e\r\n\u003cPM\u003e \u003cPM\u003e \u003cPM\u003e \u003cPM\u003e\r\n- \u003cREFRESHSMS\u003e \u003cREFRESHSMS\u003e \u003cREFRESHSMS\u003e\r\n\u003cRGTGETWRITEPERM\u003e \u003cRGTGETWRITEPERM\u003e \u003cRGTGETWRITEPERM\u003e \u003cRGTGETWRITEPERM\u003e\r\n- \u003cSELFUNINSTALL\u003e \u003cSELFUNINSTALL\u003e \u003cSELFUNINSTALL\u003e\r\n\u003cSETDEFAULT\u003e \u003cSETDEFAULT\u003e \u003cSETDEFAULT\u003e \u003cSETDEFAULT\u003e\r\n\u003cSETTEXT\u003e \u003cSETTEXT\u003e \u003cSETTEXT\u003e \u003cSETTEXT\u003e\r\n\u003cSTARTVNC\u003e \u003cSTARTVNC\u003e \u003cSTARTVNC\u003e \u003cSTARTVNC\u003e\r\n\u003cSTOP\u003e \u003cSTOP\u003e \u003cSTOP\u003e \u003cSTOP\u003e\r\n\u003cSUPRESSMS\u003e \u003cSUPRESSMS\u003e \u003cSUPRESSMS\u003e \u003cSUPRESSMS\u003e\r\n\u003cUNBLOCKAPP\u003e \u003cUNBLOCKAPP\u003e \u003cUNBLOCKAPP\u003e \u003cUNBLOCKAPP\u003e\r\n\u003cUNINSTALL\u003e \u003cUNINSTALL\u003e \u003cUNINSTALL\u003e \u003cUNINSTALL\u003e\r\n\u003cUNMUTEDEV\u003e \u003cUNMUTEDEV\u003e \u003cUNMUTEDEV\u003e \u003cUNMUTEDEV\u003e\r\n\u003cVIBRATE\u003e \u003cVIBRATE\u003e \u003cVIBRATE\u003e \u003cVIBRATE\u003e\r\n\u003cWIPE\u003e \u003cWIPE\u003e \u003cWIPE\u003e \u003cWIPE\u003e\r\nhttps://www.cleafy.com/cleafy-labs/bingomod-the-new-android-rat-that-steals-money-and-wipes-data\r\nPage 13 of 14\n\nSource: https://www.cleafy.com/cleafy-labs/bingomod-the-new-android-rat-that-steals-money-and-wipes-data\r\nhttps://www.cleafy.com/cleafy-labs/bingomod-the-new-android-rat-that-steals-money-and-wipes-data\r\nPage 14 of 14\n\n802624f4d0169e949bf40b613824d967 WebsInfo com.halfbrick.joyride\n1e850e735c649b1f80ba36c7b07a198a 1.1 WebInfo com.tocaboca.tocahairsalon4\n60d2350b8f5bd08e05612ed8c894af20 APKAPPSCUDO com.danza.perfectarcher\n 1.4.1b \nb4156ef9761f51dbac2d1104946dd3a8  com.kanko.negruzzi\na29c774dc6dc5f29d603f1b52fcdf241 1.4.3b com.vonation.hitenhit\n Page 11 of 14 \n\nAppendix 2: Command Version Sets Version Version Version\n1 1.4.1b 1.4.3b 1.5.1\n\u003cACTIVITY\u003e \u003cACTIVITY\u003e \u003cACTIVITY\u003e \u003cACTIVITY\u003e\n\u003cBLOCKAPP\u003e \u003cBLOCKAPP\u003e \u003cBLOCKAPP\u003e \u003cBLOCKAPP\u003e\n   \u003cBLOCKCALL\u003e\n\u003cBRIGHTNESS\u003e \u003cBRIGHTNESS\u003e \u003cBRIGHTNESS\u003e \u003cBRIGHTNESS\u003e\n\u003cCALLNO\u003e   \n \u003cCHECKPERM\u003e \u003cCHECKPERM\u003e \u003cCHECKPERM\u003e\n \u003cCLEARNOT\u003e \u003cCLEARNOT\u003e \u003cCLEARNOT\u003e\n\u003cCLICKAT\u003e \u003cCLICKAT\u003e \u003cCLICKAT\u003e \u003cCLICKAT\u003e\n\u003cCLICKNODE\u003e \u003cCLICKNODE\u003e \u003cCLICKNODE\u003e \u003cCLICKNODE\u003e\n\u003cDRAWVIEW\u003e   \n\u003cFAKESMS\u003e \u003cFAKESMS\u003e \u003cFAKESMS\u003e \u003cFAKESMS\u003e\n\u003cGETADMIN\u003e \u003cGETADMIN\u003e \u003cGETADMIN\u003e \u003cGETADMIN\u003e\n\u003cGETNODES\u003e \u003cGETNODES\u003e \u003cGETNODES\u003e \u003cGETNODES\u003e\n\u003cGETNOTIFYPERM\u003e \u003cGETNOTIFYPERM\u003e \u003cGETNOTIFYPERM\u003e \u003cGETNOTIFYPERM\u003e\n  Page 12 of 14 \n\nVersion https://www.cleafy.com/cleafy-labs/bingomod-the-new-android-rat-that-steals-money-and-wipes-data Version Version Version\n1 1.4.1b 1.4.3b 1.5.1\n\u003cGETSMSPERM\u003e \u003cGETSMSPERM\u003e \u003cGETSMSPERM\u003e \u003cGETSMSPERM\u003e\n\u003cGETWRITEPERM\u003e \u003cGETWRITEPERM\u003e \u003cGETWRITEPERM\u003e \u003cGETWRITEPERM\u003e\n\u003cGRANT\u003e \u003cGRANT\u003e \u003cGRANT\u003e \u003cGRANT\u003e\n \u003cINPUFOCUS\u003e \u003cINPUFOCUS\u003e \u003cINPUFOCUS\u003e\n\u003cINPUT\u003e \u003cINPUT\u003e \u003cINPUT\u003e \u003cINPUT\u003e\n\u003cLAUNCH\u003e \u003cLAUNCH\u003e \u003cLAUNCH\u003e \u003cLAUNCH\u003e\n\u003cLAUNCHA\u003e \u003cLAUNCHA\u003e \u003cLAUNCHA\u003e \u003cLAUNCHA\u003e\n\u003cMOVEAT\u003e \u003cMOVEAT\u003e \u003cMOVEAT\u003e \u003cMOVEAT\u003e\n\u003cMUTEDEV\u003e \u003cMUTEDEV\u003e \u003cMUTEDEV\u003e \u003cMUTEDEV\u003e\n\u003cNOTIFY\u003e \u003cNOTIFY\u003e \u003cNOTIFY\u003e \u003cNOTIFY\u003e\n\u003cOPTIMISATIONPERM\u003e \u003cOPTIMISATIONPERM\u003e \u003cOPTIMISATIONPERM\u003e \u003cOPTIMISATIONPERM\u003e\n\u003cOV\u003e \u003cOV\u003e \u003cOV\u003e \u003cOV\u003e\n\u003cPM\u003e \u003cPM\u003e \u003cPM\u003e \u003cPM\u003e\n \u003cREFRESHSMS\u003e \u003cREFRESHSMS\u003e \u003cREFRESHSMS\u003e\n\u003cRGTGETWRITEPERM\u003e \u003cRGTGETWRITEPERM\u003e \u003cRGTGETWRITEPERM\u003e \u003cRGTGETWRITEPERM\u003e\n \u003cSELFUNINSTALL\u003e \u003cSELFUNINSTALL\u003e \u003cSELFUNINSTALL\u003e\n\u003cSETDEFAULT\u003e \u003cSETDEFAULT\u003e \u003cSETDEFAULT\u003e \u003cSETDEFAULT\u003e\n\u003cSETTEXT\u003e \u003cSETTEXT\u003e \u003cSETTEXT\u003e \u003cSETTEXT\u003e\n\u003cSTARTVNC\u003e \u003cSTARTVNC\u003e \u003cSTARTVNC\u003e \u003cSTARTVNC\u003e\n\u003cSTOP\u003e \u003cSTOP\u003e \u003cSTOP\u003e \u003cSTOP\u003e\n\u003cSUPRESSMS\u003e \u003cSUPRESSMS\u003e \u003cSUPRESSMS\u003e \u003cSUPRESSMS\u003e\n\u003cUNBLOCKAPP\u003e \u003cUNBLOCKAPP\u003e \u003cUNBLOCKAPP\u003e \u003cUNBLOCKAPP\u003e\n\u003cUNINSTALL\u003e \u003cUNINSTALL\u003e \u003cUNINSTALL\u003e \u003cUNINSTALL\u003e\n\u003cUNMUTEDEV\u003e \u003cUNMUTEDEV\u003e \u003cUNMUTEDEV\u003e \u003cUNMUTEDEV\u003e\n\u003cVIBRATE\u003e \u003cVIBRATE\u003e \u003cVIBRATE\u003e \u003cVIBRATE\u003e\n\u003cWIPE\u003e \u003cWIPE\u003e \u003cWIPE\u003e \u003cWIPE\u003e\n  Page 13 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cleafy.com/cleafy-labs/bingomod-the-new-android-rat-that-steals-money-and-wipes-data"
	],
	"report_names": [
		"bingomod-the-new-android-rat-that-steals-money-and-wipes-data"
	],
	"threat_actors": [],
	"ts_created_at": 1775434380,
	"ts_updated_at": 1775791224,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/256a9132e90bde1d50a7786124da592249bee5b7.pdf",
		"text": "https://archive.orkl.eu/256a9132e90bde1d50a7786124da592249bee5b7.txt",
		"img": "https://archive.orkl.eu/256a9132e90bde1d50a7786124da592249bee5b7.jpg"
	}
}