Dangerous Android banking trojan Chameleon reemerges
Security researchers at Threat Fabric have discovered a new variant of the Android banking trojan Chameleon. This new variant supports new device takeover capabilities that include the ability to bypass biometric prompts.
Chameleon emerged as a threat in January 2023. It was distributed using various methods to infiltrate Android devices. The initial focus of the banking trojan were users in Poland and Australia.
The trojan targeted banking apps primarily and was distributed through phishing websites by disguising itself as legitimate applications. In Poland, Chameleon disguised itself as legitimate banking apps while it claimed to be an official app of the Taxation Office in Australia.
The new variant of Chameleon takes things a step further. Besides targeting Android users in the United Kingdom and Italy as well, it is equipped with new capabilities that make it even more dangerous.
Threat Fabric explains that the new variant likes to disguise it as Google Chrome, the world's most popular web browser. The variant supports two new capabilities.
The first, HTML Prompt to Enable Accessibility Service, responds dynamically to Android 13 devices with applied restrictions on applications. It displays an HMTL page to users in this case that prompts them to enable Accessibility services. The step is of utmost importance, as Chameleon relies on the Accessibility service to run its device takeover attacks.
The researchers explain: "Upon receiving confirmation of Android 13 Restricted Settings being present on the infected device, the banking trojan initiates the loading of an HTML page. The page is guiding users through a manual step-by-step process to enable the Accessibility Service on Android 13 and higher. The visual representation below provides an overview of the new Chameleon variant's adaptation in response to the Android 13 environment."
The second major feature of the new Chameleon variant is its ability to interrupt biometric operations on infected devices. The core idea behind this feature is to switch from biometric authentication, for instance via a fingerprint, to Pin-based authentication.
This allows the trojan to capture the user's PIN, password or pattern. These may then be used by the trojan to unlock device.
Another improved feature uses Task Scheduling using the AlarmManager API. The trojan implements a dynamic approach again. In essence, it enables the trojan to determine the foreground app. It needs the information to determine whether it will display overlays and inject activity.
The researchers note that attacks rely on the distribution of Android APK files through third-party sources. There is clearly no need to download Google Chrome or other important applications from a third-party source.
The new trojan may target specific regions primarily, but it is clear that operations will expand to other regions in the future.
Now You: do you download and install APK files from third-party sources?
You need to ask the right question. Do you use your phone for banking?
How anyone could believe a device purposely designed to invade their privacy would do anything but is confusing to me.
I dont use chrome or living in poo land or asstralia. so not a problem
No third party APK files. Crome disabled. Only have 3 apps installed that did not come with the device. No finacial apps, no apps with built-in ads, or micro-transactions. Device is locked down, and used as a communications device only.
No I don’t download APK files from third party sources. But neither do I use Google Chrome. Also, although pushed by Dutch banks, I refused to install a banking app because my phone is too old and hasn’t received security updates for several years already. Banking apps in NL only require a five digit code to login with which looked to me to be inherently insecure to begin with.