A new alert has been issued by security researchers against an Android trojan dubbed ‘Chameleon’.
The malware has been seen targeting users across the Australian and Poland regions since the start of this year. Furthermore, its wide range of malicious functions includes mimicking crypto exchanges as per a recently published statement by the Australian Government.
This new type of mobile malware was first discovered by top cybersecurity firm Cyble which says the type of distribution was set out through compromised webpages, attachments from Discord, and even hosting services by Bitbucket.
Meanwhile, it spoke about how the malware comes with a range of malicious functions that include grabbing hold of users’ sensitive details via overlay injections, cookies, texts from infected phones, and even keylogging.
Right now, new reports are speaking about what happens when the trojan is launched. And the malware can perform a huge array of checks that evade detection through the hands of security software.
Such types of checks entail anti-emulation checks for device detection that is rooted and even debugged once it’s activated. This ends up enhancing the likelihood of the app running in the analyst’s surroundings.
When and if the environment seems to be clean, you’ll see the infection continuing and that’s when the Chameleon asks the victim to allow it to make use of Accessibility Services. The permission gives it the chance to abuse it and provides even more permissions to do various activities like disable Google Play Protect and even prevent users from downloading it again.
When first connected to C2, the trojan sends details about this device version, the variant, root status, nation, and exact location to view the infection.
After that, it can open up real URLs depending on the entity that it impersonates. It does this through WebView and begins loading malicious modules through the program’s background.
Moreover, such changes would enable dangerous activity permissions like injecting phishing pages, keylogging, stealing cookies, and SMS theft. All 2FA protections in place can similarly be bypassed.
Most of these systems steal data and they rely on abuse of Accessibility Services so they can function as required and enable malware to moderate screen content, and specific events, and intervene to change elements on the interface too. Similarly, it could send a few API calls as well.
But another major danger as pointed out by security experts is the ability to stop the malware from being uninstalled.
Read next: Security Researchers Issue Warning Against New Android Malware That Infiltrated Google Play Through 60 Apps With 100 Million Installs
The malware has been seen targeting users across the Australian and Poland regions since the start of this year. Furthermore, its wide range of malicious functions includes mimicking crypto exchanges as per a recently published statement by the Australian Government.
This new type of mobile malware was first discovered by top cybersecurity firm Cyble which says the type of distribution was set out through compromised webpages, attachments from Discord, and even hosting services by Bitbucket.
Meanwhile, it spoke about how the malware comes with a range of malicious functions that include grabbing hold of users’ sensitive details via overlay injections, cookies, texts from infected phones, and even keylogging.
Right now, new reports are speaking about what happens when the trojan is launched. And the malware can perform a huge array of checks that evade detection through the hands of security software.
Such types of checks entail anti-emulation checks for device detection that is rooted and even debugged once it’s activated. This ends up enhancing the likelihood of the app running in the analyst’s surroundings.
When and if the environment seems to be clean, you’ll see the infection continuing and that’s when the Chameleon asks the victim to allow it to make use of Accessibility Services. The permission gives it the chance to abuse it and provides even more permissions to do various activities like disable Google Play Protect and even prevent users from downloading it again.
When first connected to C2, the trojan sends details about this device version, the variant, root status, nation, and exact location to view the infection.
After that, it can open up real URLs depending on the entity that it impersonates. It does this through WebView and begins loading malicious modules through the program’s background.
Moreover, such changes would enable dangerous activity permissions like injecting phishing pages, keylogging, stealing cookies, and SMS theft. All 2FA protections in place can similarly be bypassed.
Most of these systems steal data and they rely on abuse of Accessibility Services so they can function as required and enable malware to moderate screen content, and specific events, and intervene to change elements on the interface too. Similarly, it could send a few API calls as well.
But another major danger as pointed out by security experts is the ability to stop the malware from being uninstalled.
Read next: Security Researchers Issue Warning Against New Android Malware That Infiltrated Google Play Through 60 Apps With 100 Million Installs
