A new variant of the Chameleon Android banking trojan features new bypass capabilities and has expanded its targeting area, online fraud detection firm ThreatFabric reports.
Active since early 2023, the malware initially targeted mobile banking applications in Australia and Poland, but has since expanded its reach to the UK and Italy.
When initially uncovered, ThreatFabric explains, Chameleon used multiple loggers, had limited malicious functionality, and contained various unused commands, suggesting that it was still under development.
Employing a proxy feature and abusing Accessibility Services, it could perform actions on behalf of the victim, allowing attackers to engage in Account Takeover (ATO) and Device Takeover (DTO) attacks, mainly targeting banking and cryptocurrency applications.
The malware was being distributed through phishing pages, posing as legitimate applications, and using a legitimate content distribution network (CDN) for file distribution.
ThreatFabric recently identified an updated Chameleon variant, which shows the same characteristics and modus operandi as its predecessor while also packing advanced features.
The new samples are being distributed through the Zombinder, a dropper-as-a-service (DaaS) used in attacks targeting Android users.
The observed Zombinder samples, ThreatFabric says, use a sophisticated two-staged payload process, deploying the Hook malware family along with Chameleon.
One of the most important capabilities in the new Chameleon version is a device-specific check activated when receiving a command from the command-and-control (C&C) server, which targets the ‘Restricted Settings’ protections introduced in Android 13.
Upon receiving the command, the Trojan displays an HTML page that asks the victim to enable the Accessibility service. The page guides the victim through a manual step-by-step process of enabling the service, which then allows the malware to perform DTO.
Additionally, the new Chameleon variant packs a new feature to interrupt biometric operations on the victim’s device, also enabled via a specific command.
Upon receiving the command, the malware assesses the device’s screen and keyguard status, and “utilizes the AccessibilityEvent action to transition from biometric authentication to PIN authentication,” thus bypassing the biometric prompt.
“Forcing a fallback to ‘standard’ authentication provides underground actors with two advantages. First, it facilitates the theft of PINs, passwords, or graphical keys through keylogging functionalities, because biometric data remains inaccessible to these threat actors. Second, leveraging this fallback enables those same actors to unlock devices using previously stolen PINs or passwords,” ThreatFabric explained.
The updated Chameleon variant also introduces task scheduling using the AlarmManager API, a capability observed in other banking trojans but implemented differently. If the Accessibility option is not implemented, the malware can switch to collecting information on user apps to identify the foreground application and display overlays using the ‘Injection’ activity.
UPDATE: Google has provided SecurityWeek the following statement:
Google Play Protect, the on-device malware protection on Android devices with Google Play Services, protects users from this malware both on and off-Play. If a user already had one of these apps known to contain the malware installed, the user received a warning and it was automatically uninstalled from their device. If a user tries to install an app with this identified malware, they’ll get a warning and the app will be blocked from being installed.