Connect with us

Hi, what are you looking for?


Malware & Threats

Chameleon Android Malware Can Bypass Biometric Security

A variant of the Chameleon Android banking trojan features new bypass capabilities and has expanded its targeting area.

Android patches

A new variant of the Chameleon Android banking trojan features new bypass capabilities and has expanded its targeting area, online fraud detection firm ThreatFabric reports.

Active since early 2023, the malware initially targeted mobile banking applications in Australia and Poland, but has since expanded its reach to the UK and Italy.

When initially uncovered, ThreatFabric explains, Chameleon used multiple loggers, had limited malicious functionality, and contained various unused commands, suggesting that it was still under development.

Employing a proxy feature and abusing Accessibility Services, it could perform actions on behalf of the victim, allowing attackers to engage in Account Takeover (ATO) and Device Takeover (DTO) attacks, mainly targeting banking and cryptocurrency applications.

The malware was being distributed through phishing pages, posing as legitimate applications, and using a legitimate content distribution network (CDN) for file distribution.

ThreatFabric recently identified an updated Chameleon variant, which shows the same characteristics and modus operandi as its predecessor while also packing advanced features.

The new samples are being distributed through the Zombinder, a dropper-as-a-service (DaaS) used in attacks targeting Android users.

The observed Zombinder samples, ThreatFabric says, use a sophisticated two-staged payload process, deploying the Hook malware family along with Chameleon.

Advertisement. Scroll to continue reading.

One of the most important capabilities in the new Chameleon version is a device-specific check activated when receiving a command from the command-and-control (C&C) server, which targets the ‘Restricted Settings’ protections introduced in Android 13.

Upon receiving the command, the Trojan displays an HTML page that asks the victim to enable the Accessibility service. The page guides the victim through a manual step-by-step process of enabling the service, which then allows the malware to perform DTO.

Additionally, the new Chameleon variant packs a new feature to interrupt biometric operations on the victim’s device, also enabled via a specific command.

Upon receiving the command, the malware assesses the device’s screen and keyguard status, and “utilizes the AccessibilityEvent action to transition from biometric authentication to PIN authentication,” thus bypassing the biometric prompt.

“Forcing a fallback to ‘standard’ authentication provides underground actors with two advantages. First, it facilitates the theft of PINs, passwords, or graphical keys through keylogging functionalities, because biometric data remains inaccessible to these threat actors. Second, leveraging this fallback enables those same actors to unlock devices using previously stolen PINs or passwords,” ThreatFabric explained.

The updated Chameleon variant also introduces task scheduling using the AlarmManager API, a capability observed in other banking trojans but implemented differently. If the Accessibility option is not implemented, the malware can switch to collecting information on user apps to identify the foreground application and display overlays using the ‘Injection’ activity.

UPDATE: Google has provided SecurityWeek the following statement:

Google Play Protect, the on-device malware protection on Android devices with Google Play Services, protects users from this malware both on and off-Play. If a user already had one of these apps known to contain the malware installed, the user received a warning and it was automatically uninstalled from their device. If a user tries to install an app with this identified malware, they’ll get a warning and the app will be blocked from being installed.

Related: New ‘MMRat’ Android Trojan Targeting Users in Southeast Asia

Related: New Android Trojans Infected Many Devices in Asia via Google Play, Phishing

Related: Google Improves Android Security With New APIs

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.