A new variant of an Android banking Trojan has appeared that can bypass biometric security to break into devices, demonstrating an evolution in the malware that attackers now are wielding against a wider range of victims.
Spread through phishing pages, the malware's behavior then was characterized by an ability to impersonate trusted apps, disguising itself as institutions like the Australian Taxation Office and popular banking apps in Poland to steal data from user devices.
Now, researchers at Threat Fabric have spotted a new, more sophisticated version of Chameleon that also targets Android users in the UK and Italy, and spreads through a Dark Web Zombinder app-sharing service disguised as a Google Chrome app, they revealed in a blog post published Dec. 21.
The variant includes several new features that make it even more dangerous to Android users that its previous incarnation, including a new ability to interrupt the biometric operations of the targeted device, the researchers said.
By unlocking biometric access, attackers can access PINs, passwords, or graphical keys through keylogging functionalities, as well as unlock devices using previously stolen PINs or passwords.
The variant also has an expanded feature that leverages Android's Accessibility service for device takeover attacks, as well as a capability found in many other trojans to allow task scheduling using the AlarmManager API, the researchers found.
Chameleon: A Shape-Shifting Biometric Capability Overall, the three distinct new features of Chameleon demonstrate how threat actors respond to and continuously seek to bypass the latest security measures designed to combat their efforts, according to Threat Fabric.
The method uses Android's KeyguardManager API and AccessibilityEvent to assess the device screen and keyguard status, evaluating the state of the latter in terms of various locking mechanisms, such as pattern, PIN, or password.
Upon meeting the specified conditions, the malware uses this action to transition from biometric authentication to PIN authentication, bypassing the biometric prompt and allowing the Trojan to unlock the device at will, the researchers found.
This, in turn, provides attackers with two advantages: making it easy to steal personal data such as PINs, passwords, or graphical keys, and allowing them to enter biometrically protected devices using previously stolen PINs or passwords by leveraging Accessibility, according to Threat Fabric.
Another key new feature is an HTML prompt to enable the Accessibility service, on which Chameleon depends to launch an attack to take over the device.
It does this by supporting a new command that can determine whether accessibility is enabled or not, dynamically switching between different malicious activities depending on the state of this feature on the device.
Roid Devices at Risk From Malware With attacks against Android devices soaring, it's more crucial than ever for mobile users to be wary of downloading any applications on their device that seem suspicious or aren't distributed through legitimate app stores, security experts advise.
Threat Fabric managed to track and analyze samples of Chameleon related to the updated Zombinder, which uses a sophisticated two-staged payload process to drop the Trojan.
Threat Fabric published indicators of compromise in its analysis, in the form of hashes, app names, and package names associated with Chameleon so users and administrators can monitor for potential infection by the Trojan.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 21 Dec 2023 16:20:28 +0000