Android malware, such as the Chameleon Banking Trojan, which was discovered for the first time in early 2023, is still evolving and gaining terrifying new features. The malicious program has amazing new capabilities thanks to a recent upgrade, such as the ability to bypass fingerprint verification and access your phone’s password or PIN code.
As long as they only download apps from the Google Play store and are aware of how to avoid phishing schemes online, the majority of Android users shouldn’t have any concerns regarding Chameleon. Installing Chameleon on your smartphone is contingent upon downloading programs from unaffiliated websites.
A Chrome browser software may include the most recent version of the Chameleon malware. Because the software has harmful spyware linked to it, you may believe that you are purchasing an authentic Google product. Here, the solution is straightforward: Avoid installing apps from other sources and instead look for them on the Play Store.
ThreatFabric’s cybersecurity experts provided details on the updated Chameleon variant.
Extended reach is one of the improvements the malware received. Although the original versions were limited to Android users in Australia and Poland, it has been detected in the UK and Italy. Targeting a user’s cryptocurrency and banking applications, the initial iteration of the malware already possessed harmful capabilities:
Through the use of a proxy function, this banking trojan demonstrated a unique capacity to control the victim’s device and carry out acts on their behalf. Attacks known as Account Takeover (ATO) and Device Takeover (DTO) are made possible by this feature, which mostly targets bitcoin services and banking apps. The misuse of Accessibility Service credentials was necessary for these functions to work.
It impersonated legitimate apps in Australia, including those from the Australian Taxation Office (ATO). It pretended to be well-known mobile banking apps in Poland.
Updated versions are being distributed in Europe under the guise of Google Chrome downloads.
After installation, Chameleon will attempt to disable biometric prompts and enable accessibility services.
Regarding the former, the virus will search for the phone’s Android version. When it determines that the device is running Android 13 or later, it will show an HTML page that walks the user through setting up Accessibility Services. The page will give victims step-by-step instructions and may appear to them as a legitimate source of assistance.
The option to disable biometric authentication in favor of a PIN is Chameleon’s second new power.
This method evaluates the screen and keyguard state using the KeyguardManager API and AccessibilityEvent. It assesses the keyguard’s condition in relation to different locking methods, including password, PIN, and pattern. The malware uses the AccessibilityEvent action to switch from biometric authentication to PIN authentication when the predetermined criteria are met. This gets around the biometric question and lets the trojan unlock the device whenever it wants.
This feature enables the malware to use a keylogger to capture passwords and PINs. This might make it possible for burglars to take the phone and utilize it.
Alternatively, if hackers are able to remotely control the phone through the malware, it would be convenient to force a PIN authentication. With the same fingerprint and password, they could unlock the screen and any apps that were password-protected. It’s obvious that Chameleon is a more sophisticated and dangerous version than the early 2023 variant, even though that’s only conjecture.
Lastly, Chameleon can adjust to the programs a user may use on the device and has enhanced job scheduling features, according to the experts at ThreatFarbic. Malware has the ability to introduce functionality into an application, such as the display of phony screens that may appear authentic if accessibility features are enabled. If not, information about the open apps may be gathered by the malware.
Google informed The Hacker News that Play Protect will shield consumers from the attack, indicating that it is aware of it:
Another illustration of the complex and ever-changing threat landscape within the Android ecosystem is the appearance of the new Chameleon banking malware. This version has improved new features and is more resilient than its previous edition.
It is ultimately your responsibility to refrain from downloading programs from unreliable sources. This means that you should never click on dubious links that you may receive through instant messaging apps or emails. If your phone isn’t running Google Play Services, all of that is multiplied. The Play Protect feature, which Google has enabled by default on devices running the Google Play store, may only be accessed in this manner.