
A new variant of the Chameleon Android malware has been found in the wild with new features, notable among them the ability to bypass the fingerprint lock.
The Chameleon Android banking trojan first entered the scene in early 2023 with a primary focus on mobile banking applications in Australia and Poland, but has since expanded to other countries, including the UK and Italy. The malware uses multiple loggers but its functionality is somewhat limited.
Older versions of Chameleon could act on behalf of the victim, enabling those behind the malware to take over accounts and devices. As ThreatFabric researchers detailed on Dec. 21, Chameleon has traditionally abused the Android Accessibility Service to steal sensitive information from endpoints and mount overlay attacks.
However, the new version comes with two changes: the ability to bypass biometric signals and the ability to display an HTML page to enable the accessibility service in devices that implement Android 13’s “Restricted Settings” feature. According to the researchers, the enhancements increase the sophistication and adaptability of the new Chameleon variant, making it a more powerful threat in the constantly evolving landscape of mobile banking Trojans.
The new Chameleon version starts by scanning to see if the OS is Android 13 or newer. If so, the malware prompts the user to turn on accessibility services, even guiding the user through the process. Once complete, the malware can perform unauthorized actions on behalf of the user.
This isn’t a particularly unique capability among malware families, but the next part is where it gets interesting: the ability to disrupt biometric operations on the targeted device and bypass fingerprint locks.
This method employs the KeyguardManager application programming interface and AccessibilityEvent, an Android system-level event that provides information about changes to the user interface to assess screen and keyguard status. Keyguard in Android is a system component responsible for managing device security, such as screen lock and authentication mechanisms.
The malware evaluates the state of the keyguard relative to various locking mechanisms such as patterns, PINs or passwords. When specific conditions are met, the malware uses the AccessibilityEvent action to transition from biometric authentication to PIN authentication. This bypasses the biometric prompt, allowing the Trojan to unlock the device at will.
This method is said to give two advantages to those behind the malware: the ability to facilitate the theft of PIN, password or graphical keys through keylogging functionalities by bypassing biometric data, and the ability to recover the previously stolen PIN or password. Ability to unlock devices using.
The researchers concluded, “The emergence of the new Chameleon banking Trojan is another example of the sophisticated and adaptive threat landscape within the Android ecosystem.” “Evolving from its earlier version, this version features increased flexibility and innovative new features.”
To avoid getting infected, users should use common sense when installing applications, such as not installing apps from questionable unofficial sites and employing security measures such as Play Protect, a security feature on Android devices that protects against harmful software. Scans and verifies apps to prevent installation. ,
Image: DALL-E 3
Your support vote is important to us and helps us keep the content free.
One click below supports our mission to provide free, in-depth and relevant content.
Join our community on YouTube
Join a community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies Founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many other luminaries and experts.
“theCUBE is an important partner for the industry. You guys are really a part of our events and we really appreciate you coming and I know people also appreciate the content you create” – Andy Jesse
Thank you