Severity
High
Analysis Summary
The notorious banking trojan Chameleon has re-emerged with a new variant that disables fingerprint and face unlock features on Android devices to steal PIN codes. This is achieved by using an HTML page to gain access to the Accessibility service and a method that is capable of disrupting biometric operations which allows the threat actors to steal PINs and unlock the device.
The first version of Chameleon was discovered in April 2023 and mainly targeted Australia and pretended to be government agencies, banks, and the CoinSpot cryptocurrency platform. The malware is capable of keylogging, cookie theft, overlay injection, and SMS theft on the infected systems. Researchers have discovered that the malware is being spread using the Zombinder service that poses as Google Chrome.
Zombinder can stick the malware to legitimate Android apps, which allows the targeted users to fully enjoy the app’s functionality and makes the malicious code to be less likely to get suspected. This way, detection of the malware becomes difficult during runtime as it bypasses Google Protect alerts and evades anti-virus solutions on the compromised device.
One of the newest features that are discovered in the newest version of Chameleon is its ability to display an HTML page on devices that are running Android 13 and later that prompts the targeted users to give the app permission to use the Accessibility service. Android 13 and later are secured by a feature called “Restricted Setting” that is responsible for blocking the approval of permissions that are used maliciously like Accessibility. The malware can use this permission to steal content that is being shown on the screen, perform navigation gestures, and even grant itself additional permissions.
When Chameleon detects Android 13 or 14 after being launched, it loads an HTML page that can guide the victim through a manual process to enable Accessibility for the app and bypass security.
Another new feature is the malware’s ability to disrupt biometric operations on the compromised device, such as face and fingerprint unlock, which is achieved by leveraging the Accessibility service that forces the device to rely on PIN or password authentication. The malware can record any passwords or PINs that are entered to unlock the device, ultimately leading to the attacker gaining access to the device by unlocking it at will and performing malicious activities. The last notable feature that Chameleon has added to its arsenal is task scheduling using the AlarmManager API which can easily manage the periods of activity and define the type of activity to be performed.
The malware is versatile and capable of adapting to launching overlay attacks or collecting data about app usage depending on whether Accessibility is enabled or not to decide the best time for injection. These new features raise the sophistication and adaptability of the new version of Chameleon malware, which turns it into a more potent threat.
Impact
- Sensitive Information Theft
- Keylogging
- Unauthorized Access
Indicators of Compromise
MD5
- 797e22c4350bacd8796a398b3ac1ac5c
- e51a38f4f028ec5fb2d6c73d5e2c65bd
SHA-256
- 2211c48a4ace970e0a9b3da75ac246bd9abaaaf4f0806ec32401589856ea2434
- 0a6ffd4163cd96d7d262be5ae7fa5cfc3affbea822d122c0803379d78431e5f6
SHA-1
- 1be209697e149d6e660250b63902ea22fa5436e9
- a8a02aeff92389e57b6d6065e49350b405b62498
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Ensure that all systems, software, and applications are up-to-date with the latest security patches. Regularly check for and apply updates to eliminate known vulnerabilities that attackers could exploit.
- Educate employees about phishing emails, social engineering tactics, and safe online behavior. Effective training can reduce the likelihood of users inadvertently initiating an attack.
- Regularly back up critical data and systems to offline or isolated storage. Test the backup restoration process to ensure that it is effective in case of an attack.
- Deploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring, and real-time protection against malware and ransomware.
- Employ robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and links from reaching user inboxes.
- Conduct regular penetration testing and security assessments to identify vulnerabilities and weaknesses in your network and systems. Address any findings promptly.
- Thoroughly assess third-party vendors and software before integrating them into your environment. Ensure they have strong security practices and adhere to cybersecurity standards.
- Avoid downloading APKs from unofficial sources, as this is the main distribution method for the Zombinder service.
- Make sure that Play Protect is enabled at all times.
- Regularly scan your device to make sure it is clean of malware and adware.