The Chameleon Android banking trojan has resurfaced with a fresh iteration that employs a clever technique to gain control of devices. This new version disables fingerprint and face unlock features in order to pilfer device PINs. The trojan achieves this by utilizing an HTML page trick to gain access to the Accessibility service and disrupt biometric operations, allowing it to steal PINs and unlock the device at its own discretion.
Previous iterations of Chameleon, observed in April of this year, masqueraded as Australian government agencies, banks, and the CoinSpot cryptocurrency exchange. These earlier versions carried out various malicious activities on compromised devices, including keylogging, overlay injection, cookie theft, and SMS theft.
According to researchers at ThreatFabric, who have been closely monitoring this malware, the current distribution of Chameleon is facilitated through the Zombinder service, which disguises itself as Google Chrome. Zombinder essentially “glues” malware onto legitimate Android apps, enabling victims to enjoy the full functionality of the intended app. This clever tactic reduces the likelihood of suspicion, as dangerous code runs inconspicuously in the background.
The Zombinder platform claims that its malicious bundles are undetectable during runtime, successfully evading Google Protect alerts and any antivirus products installed on the infected device.
New Chameleon Features
The latest version of Chameleon introduces a new feature that allows it to display an HTML page on Android 13 and later devices. This HTML page prompts users to grant the app permission to use the Accessibility service. However, Android 13 and later have a security feature called “Restricted setting” that blocks the approval of dangerous permissions like Accessibility. Malware can exploit this permission to steal on-screen content, gain additional permissions, and perform navigation gestures.
When Chameleon detects Android 13 or 14, it bypasses the system’s protection by loading an HTML page that guides users through a manual process to enable Accessibility for the app. This allows Chameleon to override the Restricted setting.
Another notable feature of Chameleon is its ability to interrupt biometric operations on the device, such as fingerprint and face unlock. It achieves this by utilizing the Accessibility service to force a fallback to PIN or password authentication. By capturing the PINs and passwords entered by victims, the malware can unlock the device at will and carry out malicious activities without being detected.
Furthermore, Chameleon now incorporates task scheduling through the AlarmManager API. This feature enables the malware to manage its periods of activity and define the type of activity it performs. Depending on whether Accessibility is enabled or disabled, Chameleon adapts its tactics, launching overlay attacks or collecting app usage data to determine the optimal moment for injection.
ThreatFabric warns that these enhancements significantly enhance the sophistication and adaptability of the new Chameleon variant, making it a more formidable threat in the constantly evolving landscape of mobile banking trojans.
To protect yourself from the Chameleon threat, it is crucial to avoid downloading APKs from unofficial sources, as this is the primary distribution method for the Zombinder service. Additionally, always ensure that Play Protect is enabled on your device and regularly scan for malware and adware to keep your device clean and secure.
Last updated:
0 Comments