The infamous Chameleon banking trojan that took center stage on Android devices and wreaked havoc for users is now back, security experts warn.
The malicious trojan makes use of sneaky techniques that grab a hold of devices and start to disable user-specific safeguards in place. This includes face unlock as well as disabling fingerprints in an attempt at PIN theft.
The technique employed is simple. They make use of HTML pages that trick the user into acquiring permission to their Accessibility. All of a sudden, a method erupts where biometric operations emerge whose main goal is to steal the PIN while unlocking the device.
The early variants for such a trojan were seen during the start of April of 2023 where it mimicked governmental agencies hailing from Australia. Other than that, easy targets included banks and crypto exchanges too. It was also easy for them to carry out keylogging while overlaying injections and carrying out cookie theft while message theft is also on the rise through devices deemed unsafe.
Researchers from ThreatFabric were quick to add how they’ve been keeping track of the malware and its current status says it’s being distributed through the Zombinder offering that continues to disguise itself like Google Chrome.
The Zombinder acts to stick the malware to real apps on Android. In this manner, the victim may enjoy complete functionality for the platform which they made plans to download. This just reduces the probability of suspecting any type of dangerous code that continues to run in the background.
The app added how there are plenty of malicious bundles that can’t be detected at the current time, and in the end, they just bypass all security barriers like alerts and end up evading the anti-virus products taking place on infected devices.
Now the question on many people’s minds is what exactly are the latest features on this front when it comes down to the Chameleon version? The answer is simple. It’s the chance to display various HTML pages on any running phone having Android 13. Soon after that, it prompts the victims to provide app permissions that utilize Accessibility services.
Android 13 and any variant after that continues to attain protection via security features such as Restricted Settings. The latter is designed to block dangerous app permissions such as those trying to get a hold of Accessibility. And it’s commonly observed how malware ends up stealing content online via such a feature. They may also grant permission while carrying out all types of navigation gestures along the way.
After detecting Android 13 or even 14, it would install HTML pages that serve as a guide for users via manual techniques. This would enable Accessibility for such platforms and would even bypass the overall protection features on the system.
But that’s not all. Another much-talked-about feature enables the chance to cause a rift in biometric functionalities across devices such as face unlocking and fingerprint detection through accessibility. And what that does is it enforces falling back on the likes of a password check or verification through PIN.
In the end, the malware grabs hold of PINs and any passcodes that victims add for device unlocking. Later on, they use just that to carry out illegal activities that no one can see, leaving victims vulnerable at all times as it’s hidden.
Last but not least, the experts noticed how Chameleon controls the kind of activity and duration of activity taking place on devices via an API dubbed AlarmManager. This all depends upon whether or not Accessiblity is open or not. And if the former stands true, it can cause destruction through several means.
It might be linked to determining which time is best for injecting or how to best collect data.
The degree of sophistication with which the banking trojan carries out its activities is proof of how strict vigilance is required to ensure the threat is kept minimal. This includes limiting APK collection via unofficial services.
At the same time, users are recommended to have Play Protect active at all times while performing routine scans to eliminate threats.
Read next: Security Experts Raise The Alarm Against New Phishing Email Scam Targeting Instagram Users
The malicious trojan makes use of sneaky techniques that grab a hold of devices and start to disable user-specific safeguards in place. This includes face unlock as well as disabling fingerprints in an attempt at PIN theft.
The technique employed is simple. They make use of HTML pages that trick the user into acquiring permission to their Accessibility. All of a sudden, a method erupts where biometric operations emerge whose main goal is to steal the PIN while unlocking the device.
The early variants for such a trojan were seen during the start of April of 2023 where it mimicked governmental agencies hailing from Australia. Other than that, easy targets included banks and crypto exchanges too. It was also easy for them to carry out keylogging while overlaying injections and carrying out cookie theft while message theft is also on the rise through devices deemed unsafe.
Researchers from ThreatFabric were quick to add how they’ve been keeping track of the malware and its current status says it’s being distributed through the Zombinder offering that continues to disguise itself like Google Chrome.
The Zombinder acts to stick the malware to real apps on Android. In this manner, the victim may enjoy complete functionality for the platform which they made plans to download. This just reduces the probability of suspecting any type of dangerous code that continues to run in the background.
The app added how there are plenty of malicious bundles that can’t be detected at the current time, and in the end, they just bypass all security barriers like alerts and end up evading the anti-virus products taking place on infected devices.
Now the question on many people’s minds is what exactly are the latest features on this front when it comes down to the Chameleon version? The answer is simple. It’s the chance to display various HTML pages on any running phone having Android 13. Soon after that, it prompts the victims to provide app permissions that utilize Accessibility services.
Android 13 and any variant after that continues to attain protection via security features such as Restricted Settings. The latter is designed to block dangerous app permissions such as those trying to get a hold of Accessibility. And it’s commonly observed how malware ends up stealing content online via such a feature. They may also grant permission while carrying out all types of navigation gestures along the way.
After detecting Android 13 or even 14, it would install HTML pages that serve as a guide for users via manual techniques. This would enable Accessibility for such platforms and would even bypass the overall protection features on the system.
But that’s not all. Another much-talked-about feature enables the chance to cause a rift in biometric functionalities across devices such as face unlocking and fingerprint detection through accessibility. And what that does is it enforces falling back on the likes of a password check or verification through PIN.
In the end, the malware grabs hold of PINs and any passcodes that victims add for device unlocking. Later on, they use just that to carry out illegal activities that no one can see, leaving victims vulnerable at all times as it’s hidden.
Last but not least, the experts noticed how Chameleon controls the kind of activity and duration of activity taking place on devices via an API dubbed AlarmManager. This all depends upon whether or not Accessiblity is open or not. And if the former stands true, it can cause destruction through several means.
It might be linked to determining which time is best for injecting or how to best collect data.
The degree of sophistication with which the banking trojan carries out its activities is proof of how strict vigilance is required to ensure the threat is kept minimal. This includes limiting APK collection via unofficial services.
At the same time, users are recommended to have Play Protect active at all times while performing routine scans to eliminate threats.
Read next: Security Experts Raise The Alarm Against New Phishing Email Scam Targeting Instagram Users
