Cybersecurity experts unveil the resurgence of Chameleon, an Android malware, with an upgraded version that extends its reach to users in the United Kingdom and Italy.
This banking trojan is like any other virus that infects a system and then gets under its skin by bypassing biometric operations on the platform
Chameleon's Enhanced Iteration Targets the U.K. and Italy
Sneaky like its animal counterpart, the Chameleon malware is somewhat close to the lizard-like creature through its evasiveness. This banking trojan can bypass biometric operations on Android.
Chameleon, a notorious Android banking malware, has undergone a significant transformation, widening its scope to now include users in the U.K. and Italy.
Dutch mobile security firm ThreatFabric highlights the evolution of this banking trojan, showcasing its proficiency in executing Device Takeover (DTO) using the accessibility service.
Previously identified in April 2023, Chameleon initially targeted users in Australia and Poland. Known for its exploitation of Android's accessibility service, the malware's primary objectives include harvesting sensitive data and executing overlay attacks.
Earlier versions impersonated institutions like the Australian Taxation Office and the cryptocurrency platform CoinSpot.
Related Article: Mobile Security Firm Zimperium Analyzes 10 Banking Trojans on Android: Here's How to Stay Safe
New Delivery Mechanism: Zombinder Integration Amplifies Threat
The latest findings reveal a change in Chameleon's delivery method, utilizing Zombinder, an off-the-shelf dropper-as-a-service.
Zombinder, previously suspected to be inactive, resurfaced, boasting capabilities to bypass Android's 'Restricted Settings' feature. This dropper-as-a-service, according to The Hacker News, binds malicious payloads to legitimate apps, creating a potent threat.
Masquerading as Google Chrome: Deceptive Package Names
The malicious artifacts delivering Chameleon adopt a disguise, posing as the legitimate Google Chrome web browser. The package names Z72645c414ce232f45.Z35aad4dde2ff09b48 and com.busy.lady are employed to mislead users, emphasizing the malware's deceptive tactics.
An alarming feature of the enhanced Chameleon variant is its proficiency in Device Takeover (DTO) fraud. Leveraging the accessibility service, the malware executes unauthorized actions on the victim's device.
To enhance its success rate, this banking trojan performs checks on the Android version, specifically prompting users with Android 13 or later to enable the accessibility service.
Disrupting Biometric Operations: Covert Manipulation via Android APIs
The evolved Chameleon introduces a novel method to disrupt biometric operations. It discreetly transitions the lock screen authentication from biometrics to a PIN, allowing the malware to unlock the device at will using the accessibility service. This covert manipulation raises concerns about the malware's ability to compromise device security seamlessly.
Regarding this banking trojan, Zimperium shared its recent take on the emergence of Android malware. The concerning trend reveals that 29 malware families, including 10 new ones are targeting 1,800 banking applications across 61 countries.
The U.S., the U.K., and Italy top the list of targeted countries, emphasizing the global reach of these threats.
"The emergence of the new Chameleon banking trojan is another example of the sophisticated and adaptive threat landscape within the Android ecosystem. Evolving from its earlier iteration, this variant demonstrates increased resilience and advanced new features," ThreatFabric said in its latest report.
If it's too good to be true, don't download an app or game you think is suspicious. Always research about them first before clicking the "install" button on your device.
Read Also: Your Android Smartphone Might Be Infected With Anatsa Banking Trojan- Uninstall These Apps NOW!
