Security researchers have discovered a new variant of the Chameleon Android malware, a banking trojan that has been circulating since early 2023. The latest version comes with additional functionalities that can cause more harm to the victim. Malware also adopts new strategies to avoid detection.
Chameleon Android malware has re-emerged with new capabilities
Chameleon Android malware was first spotted in January this year. The Trojan targeted users in Australia and Poland, cybersecurity firm Threat Fabric reports. It impersonated Australian government agencies, banks, and the Coinspot cryptocurrency exchange to trick unsuspecting users. Once activated in a compromised device, the malware can perform keylogging, overlay injection, cookie theft, and SMS theft, among other things.
The company was expecting a more powerful version of the Trojan and it has now emerged. The new variant has already been seen in Italy and the UK. The malicious minds behind the malware are distributing it through the Zombinder service posing as Google Chrome. The service attaches malware to genuine Android apps so cleanly that it can even bypass Google Protect alerts and antivirus software.
The app in question also offers the same functions as the original, malware-free version. This means that users have no reason to suspect anything is wrong with their app. However, behind the scenes, Trojans can perform many malicious actions that can cause serious harm. With its new capabilities, the damage can be more damaging than the original version of the Chameleon Android malware.
The cybersecurity firm reports that the Trojan can respond dynamically to the device’s OS version. On devices running Android 13 and later that have strict app permissions, it displays an HTML page and prompts users to enable the Accessibility service. Effectively, it bypasses system restrictions to gain additional privileges which it abuses to steal information displayed on the screen.
It can also bypass biometric authentication
The other new feature of the updated Chameleon malware is the ability to bypass biometric signals. It leverages accessibility services to force users to perform PIN, pattern, or password authentication. Since biometrics such as fingerprint and face unlocking are not available to attackers, this strategy enables them to steal a user’s PIN, pattern or password through keylogging. They can then remotely unlock the device at any time and perform malicious activities.
The new Chameleon version can also perform task scheduling using the AlarmManager API. While task scheduling is common among trojans, this particular version has a dynamic approach to it. Chameleon Android malware can detect whether accessibility is enabled or disabled and adapt accordingly. These features allow malware to determine the best moment to initiate overlay or injection activity.
ThreatFabric security experts warn, “These enhancements increase the sophistication and adaptability of the new Chameleon variant, making it a more powerful threat in the constantly evolving landscape of mobile banking Trojans.” The best way to keep malware away is to avoid installing apps (APK files) from unknown sources. You should always download apps from trusted platforms like Google Play Store.