HQ/EMEAFind out how we can help your business
The Chameleon Android malware has resurfaced with a new version that employs a clever tactic to compromise devices. Based on reports, the latest iteration uses a novel technique that could disable Android devices’ fingerprint and face unlock systems to steal PINs.
Initially detected in April of this year, earlier versions of Chameleon have impersonated Australian government agencies, banks, and even the CoinSpot cryptocurrency exchange. These malicious iterations could run keylogging capabilities, overlay injections, cookie theft, and SMS theft, wreaking havoc on compromised devices.
The new version of the Chameleon Android malware spreads through a specific service.
The current variant of Chameleon Android malware propagates via the Zombinder service, disguising itself as Google Chrome. Zombinder is notorious for attaching malware to legitimate Android apps, allowing victims to unknowingly enjoy the full functionality of the intended app while deploying dangerous code in the background.
This tactic makes the malware more challenging to detect with Google Protect alerts and traditional antivirus solutions.
As of now, the latest version of Chameleon includes two notable features. First, it can display an HTML page on compromised devices that run on Android 13 and, later, instruct users to grant the app permission to use the Accessibility service.
This feature is crucial for the infection chain as Android 13 and later versions have a security feature called “Restricted setting,” which blocks the approval of potentially dangerous permissions like Accessibility.
The second feature incorporates a tactic that interrupts biometric operations, such as fingerprint and face unlock, by leveraging the Accessibility service. Chameleon forces a user to return to PIN or password authentication, which allows them to capture the victim’s credentials for malicious use.
Furthermore, the malware now includes task scheduling through the AlarmManager API, enabling it to manage periods of activity and define the type of activity based on the device’s condition.
To mitigate the Chameleon threat, users should refrain from downloading Android package files (APKs) from unofficial sources since this is the primary vector used by the malware to exploit the Zombinder service. Enabling Play Protect and running regular scans are also crucial for ensuring the device’s cleanliness and protection against malware and adware.
Users should remain vigilant and adopt the best practices to protect their devices. Staying informed about the latest threats is the most essential skill users should acquire to thwart these campaigns.
