A new variant of the Chameleon Android banking trojan features new bypass capabilities and has expanded its targeting area, online fraud detection firm ThreatFabric reports.
Active since early 2023, the malware initially targeted mobile banking applications in Australia and Poland, but has since expanded its reach to the UK and Italy.
When initially uncovered, ThreatFabric explains, Chameleon used multiple loggers, had limited malicious functionality, and contained various unused commands, suggesting that it was still under development.
Employing a proxy feature and abusing Accessibility Services, it could perform actions on behalf of the victim, allowing attackers to engage in Account Takeover and Device Takeover attacks, mainly targeting banking and cryptocurrency applications.
The malware was being distributed through phishing pages, posing as legitimate applications, and using a legitimate content distribution network for file distribution.
ThreatFabric recently identified an updated Chameleon variant, which shows the same characteristics and modus operandi as its predecessor while also packing advanced features.
The new samples are being distributed through the Zombinder, a dropper-as-a-service used in attacks targeting Android users.
The observed Zombinder samples, ThreatFabric says, use a sophisticated two-staged payload process, deploying the Hook malware family along with Chameleon.
One of the most important capabilities in the new Chameleon version is a device-specific check activated when receiving a command from the command-and-control server, which targets the 'Restricted Settings' protections introduced in Android 13.
Upon receiving the command, the Trojan displays an HTML page that asks the victim to enable the Accessibility service.
The page guides the victim through a manual step-by-step process of enabling the service, which then allows the malware to perform DTO. Additionally, the new Chameleon variant packs a new feature to interrupt biometric operations on the victim's device, also enabled via a specific command.
The updated Chameleon variant also introduces task scheduling using the AlarmManager API, a capability observed in other banking trojans but implemented differently.
If the Accessibility option is not implemented, the malware can switch to collecting information on user apps to identify the foreground application and display overlays using the 'Injection' activity.
This Cyber News was published on www.securityweek.com. Publication date: Fri, 22 Dec 2023 18:13:05 +0000