Cybersecurity researchers have discovered an updated version of the Android banking malware called Chameleon, which has been expanded to target users in the United Kingdom and Italy.
“This evolved Chameleon variant represents a restructured and enhanced iteration of its predecessor, which excels at using secondary services to perform device takeovers (DTOs) while expanding its target area,” ThreatFabric, a Dutch mobile security company, said in a report shared with The Hacker News. .”
Cyble previously documented Chameleon in April 2023, noting that it had been used to cherry-pick users in Australia and Poland since at least January. Like other banking malware, it abuses the permissions of Android accessibility services to obtain sensitive data and conduct overwrite attacks.
Rogue apps containing early versions were hosted on phishing pages and were found to be impersonating real agencies in these countries, such as the Australian Taxation Office (ATO) and a cryptocurrency trading platform called CoinSpot, in an attempt to give them a credible identity. veil.
New findings from ThreatFabric reveal that the banking trojan is now distributed via Zombinder, an off-the-shelf dropper-as-a-service (DaaS) sold to other threat actors that can be used to “bind” malicious payloads to legitimate applications .
From user to administrator: Learn how hackers gain total control
Learn the secret tactics hackers use to become administrators and how to detect and stop it before it’s too late. Register now for our webinar.
Join now
Although the product was suspected to have been shut down earlier this year, it resurfaced last month promoting a way to bypass the “restricted settings” feature in Android, install malware on the device and gain access to accessibility services.
Both malware distributions of Chameleon are disguised as the Google Chrome web browser. Their kit names are listed below –
- Z72645c414ce232f45.Z35aad4dde2ff09b48
- com.busy.lady
A distinguishing feature of the enhanced variant is its ability to conduct device takeover (DTO) fraud, which exploits accessibility services to perform unauthorized actions on behalf of the victim.
But to trick users into enabling the setting, the malware checks the Android version on the installed device, and if it finds Android 13 or higher, prompts the user to turn it on.
“After receiving confirmation that Android 13 restrictions are present on the compromised device, the banking Trojan initiates the loading of an HTML page,” ThreatFabric explains. “The page is taking the user through a manual step-by-step process to install Android 13 and later. Enable accessibility services on higher versions.”
Another new feature is the use of Android APIs to covertly convert the lock screen authentication mechanism into a PIN code, thus subverting the biometric operation of the target device, allowing malware to use accessibility services to “unlock the device at will.”
Google told The Hacker News that its Play Protect feature is enabled by default on devices with Google Play services to protect users from threats.
“The emergence of the new Chameleon banking Trojan is another example of the complex and adaptive threat landscape in the Android ecosystem,” the company said. “Evolving from earlier versions, this variant demonstrates increased resiliency and advanced new capabilities .”
Zimperium revealed that 29 malware families (10 of which were new) targeted 1,800 banking applications in 61 countries last year. New active families include Nexus, Godfather, PixPirate, Saderat, Hook, PixBankBot, Xenomorph v3, Vultur, BrasDex and GoatRAT.
The main target countries in the United States include the United States (109 banking apps), the United Kingdom (48), Italy (44), Australia (34), Turkey (32), France (30), Spain (29) ), Portugal (27), Germany (23), Canada (17) and Brazil (11). The most targeted financial services apps are PhonePe (India), WeChat, Bank of America, Wells Fargo (US), Binance (Malta), Barclays (UK), QNB Finansbank (Turkey) and CaixaBank (Spain).
“Traditional banking apps remain the main target, with a staggering 1,103 apps accounting for 61% of targets, while emerging fintech and trading apps are now targeted, accounting for the remaining 39%,” the company said.
(This story was updated after publication to include Google’s response.)