
Android malware is constantly evolving and gaining scary new capabilities, like the Chameleon banking Trojan that was first discovered in early 2023. A new update to the malicious app gives it incredible new powers, like blocking fingerprint authentication so it can get your phone’s PIN code or password. ,
Most Android users shouldn’t worry about Chameleon as long as they only download apps from the Google Play store and know how to avoid phishing scams online. Chameleon can be installed on your device only if you download apps from third-party sites.
The latest Chameleon malware may come in the form of a Chrome browser app. Dangerous malware is attached to the app, so you think you are getting a genuine Google product. The solution here is simple: Search for apps on the Play Store and don’t install apps from anywhere else.
cyber security researcher hazmat cloth Gave details of the newly developed version of Chameleon.
Take. Entertainment. Science. Your inbox.
Sign up for the most interesting tech and entertainment news.
By signing up, I agree to the Terms of Use and have reviewed the Privacy Notice.
One of the upgrades the malware has received is expanded reach. It has been found in the UK and Italy, while the original version only targeted Android users in Australia and Poland. An early version of the Trojan already had dangerous capabilities, targeting users’ banking and crypto apps:
This banking Trojan displayed a specific ability to manipulate the victim’s device, performing tasks on the victim’s behalf through a proxy feature. This feature enables advanced maneuvers such as account takeover (ATO) and device takeover (DTO) attacks, specifically targeting banking applications and cryptocurrency services. These practices relied on abuse of accessibility service privileges.
In Australia, it disguised itself as apps from official institutions such as the Australian Taxation Office (ATO). In Poland, this took the form of popular mobile banking apps.
The updated version has been seen spreading in Europe as a Google Chrome download.
Once installed, Chameleon will attempt to do two things: enable accessibility services and turn off biometric prompts.
For the first, the malware will look for the Android version of the phone. If it detects Android 13 or later, it will display an HTML page that guides the user through a process that enables accessibility services on the device. This page will provide step-by-step guidance and may look like a real help page for unsuspecting victims.
Chameleon Android malware will attempt to force PIN unlock instead of biometrics. Image Source: ThreatFabric
The second new power that Chameleon got is the ability to disable biometric authentication in favor of a PIN:
This method uses the KeyguardManager API and AccessibilityEvent to assess the screen and keyguard state. It evaluates the state of the keyguard related to various locking mechanisms such as pattern, PIN or password. When specified conditions are met, the malware uses the AccessibilityEvent action to transition from biometric authentication to PIN authentication. This bypasses the biometric prompt, allowing the Trojan to unlock the device at will.
This feature will allow malware to steal PINs and passwords through the keylogger. This may allow thieves to actually steal and use the handset.
Alternatively, forcing PIN authentication may be convenient if hackers can use malware to remotely operate the handset. They can unlock screens and apps protected by the same fingerprint and password combination. Although this is speculation, it is clear that the Chameleon is a more advanced, more dangerous version than the initial 2023 version.
Finally, ThreatFarbic researchers say Chameleon also has improved task scheduling features and can customize which apps a user can use on the device. Malware can insert features into an app, such as displaying a fake screen that can look real when accessibility features are turned on. Otherwise, malware may collect data about apps that are in the foreground.
Google is aware of this threat and has also informed hacker news That Play Protect will protect users from threats:
The emergence of the new Chameleon banking Trojan is another example of the sophisticated and adaptive threat landscape within the Android ecosystem. Evolving from its earlier version, this version features increased flexibility and advanced new features.
But ultimately, it is up to you to avoid downloading apps from untrusted sources. This means never clicking on suspicious links you receive via email or instant chat apps. All of this goes double if you have a phone without Google Play Services installed. This is the only way to get the Play Protect feature that Google has enabled by default on devices with Google Play Store installed.
I would also say that if you have an Android phone that doesn’t have support for Google apps, you should probably avoid trying to download these Google apps from anywhere. This way you can get into trouble.