The Chameleon Android banking trojan has undergone a formidable transformation, revealing advanced tactics and a wide target scope. Discovered by online fraud detection experts ThreatFabric, this evolving threat was initially detected in early 2023, honing in on mobile banking applications in Australia and Poland. Now, it has set its sights on the UK and Italy.
In its early stages, ThreatFabric identified Chameleon as a work in progress, featuring multiple loggers and limited functionality. The trojan executed actions on behalf of victims, orchestrating Account Takeover (ATO) and Device Takeover (DTO) attacks, primarily targeting banking and cryptocurrency applications.
Notably, Chameleon’s distribution strategy involved phishing pages posing as legitimate applications. It used a genuine content distribution network (CDN) for seamless file distribution. In a recent update, ThreatFabric has spotted a refined variant armed with even more advanced features, distributed through Zombinder, a dropper-as-a-service (DaaS) in Android-targeted attacks.
A key upgrade in the new Chameleon version is a device-specific check targeting ‘Restricted Settings’ protections in Android 13. Upon receiving a command, the trojan guides victims through enabling the Accessibility service, ultimately facilitating Device Takeover (DTO). The updated Chameleon introduces a novel capability to interrupt biometric operations, seamlessly transitioning from biometric to PIN authentication.
As cybersecurity experts continue to monitor the evolving landscape of Android banking trojans, users are advised to remain vigilant.
