Security researchers have discovered a new variant of the Chameleon Android malware, a banking trojan circulating since early 2023. The latest variant comes with additional functionalities that can do more damage to a victim. The malware also employs new tactics to avoid detection.
Chameleon Android malware re-emerges with new capabilities
The Chameleon Android malware was first spotted in January this year. As reported by cybersecurity firm Threat Fabric, the trojan targeted users in Australia and Poland. It impersonated Australian government agencies, banks, and the CoinSpot cryptocurrency exchange to trick unsuspecting users. Once active in a compromised device, the malware could perform keylogging, overlay injection, cookie theft, and SMS theft, among other things.
The firm anticipated a more powerful variant of the trojan and it has now emerged. The new version has already been seen in action in Italy and the UK. The malicious minds behind the malware are distributing it via the Zombinder service posing as Google Chrome. The service attaches the malware to genuine Android apps so cleanly that it can even bypass Google Protect alerts and antivirus software.
The app in question also offers the same functions as the original, malware-free version. This means users have no reason to suspect anything wrong with their app. However, behind the scenes, the trojan can execute several malicious functions that can cause severe damage to them. With its new capabilities, the damage can be more hurtful than what the original variant of the Chameleon Android malware could do.
The cybersecurity firm reports that the trojan can dynamically respond to the OS version of the device. On devices running Android 13 and later, which have stricter app permissions, it displays an HTML page and prompts users to enable the Accessibility service. Effectively, it bypasses the system restrictions to gain additional privileges that it abuses to steal information displayed on the screen.
It can also bypass biometric authentication
The other new feature of the updated Chameleon malware is the ability to bypass biometric prompts. It leverages Accessibility services to force users to a PIN, pattern, or password authentication. Since biometrics such as fingerprint and face unlocking aren’t accessible to attackers, this tactic enables them to steal a user’s PIN, pattern, or password through keylogging. They can then remotely unlock the device at any time and perform malicious activities.
The new Chameleon variant can also perform task scheduling using the AlarmManager API. While task scheduling is common among trojans, this particular variant has a dynamic approach to it. The Chameleon Android malware can detect whether Accessibility is enabled or disabled and adapt accordingly. These features allow the malware to determine the best moment for initiating overlay or injection activity.
“These enhancements elevate the sophistication and adaptability of the new Chameleon variant, making it a more potent threat in the ever-evolving landscape of mobile banking trojans,” ThreatFabric security experts warn. The best way to keep malware at bay is by avoiding installing apps (APK files) from unknown sources. You should always download apps from trusted platforms such as the Google Play Store.
2023-12-27 15:06:18