Chameleon Banking Trojan: Advanced Threats in Android Security

The Chameleon Android malware, dreaded by cybersecurity experts, has undergone enhancements. According to ThreatFabric researchers, this malware now empowers attackers to disable fingerprint unlock features and pilfer PIN codes. Functioning similarly to other banking malware, Chameleon exploits Android Accessibility Service, executing overlay attacks and extracting sensitive information.

In this upgraded version, two significant modifications stand out. Firstly, Chameleon gains the ability to execute Device Takeover (DTO) fraud. Additionally, it can now seamlessly shift the lock screen from biometrics to PIN.

In the case of the first enhancement, the malware conducts an initial check to determine if the operating system is Android 13 or newer. Upon confirmation, it prompts users to activate accessibility services, providing step-by-step guidance. Once completed, unauthorized actions are carried out on behalf of the user.

Chameleon Banking Trojan: Advanced Tactics in Android Threat Landscape

When Android 13 Restricted Settings are confirmed on the compromised device, the banking trojan loads an instructive HTML page. This page systematically guides users through enabling the accessibility service on Android 13 and above.

In its second capability, Chameleon utilizes Android APIs to discreetly shift the lock screen authentication to a PIN, facilitating the malware’s phone unlocking when necessary. Granting accessibility services is a prerequisite for this function.

The emergence of this Chameleon banking trojan showcases the Android ecosystem’s sophisticated and adaptive threat landscape. Evolving from its predecessor, this variant demonstrates heightened resilience and introduces advanced features.

Expanding its reach, the new version transcends boundaries, extending from Australia and Poland to encompass the UK and Italy.

Through TheHackerNews