The dreaded Chameleon Android malware has been upgraded to give attackers the ability to disable the fingerprint unlock feature and steal people's PINs, according to cybersecurity researchers at ThreatFabric.
According to the researchers, Chameleon is similar to other banking malware that abuses the Android Accessibility Service to steal sensitive information from endpoints and perform overlay attacks. This new version comes with two notable changes: the ability to enable Device Takeover (DTO) fraud and the ability to switch the lock screen from biometrics to PIN.
With the first new capability, the malware will first scan to see if the operating system is Android 13 or newer. If so, the user will be prompted to enable accessibility services. It will even guide them through the process, and once it's done, it will perform unauthorized actions on the user's behalf.
Stealing PIN codes
“Upon receiving confirmation that Android 13 Restricted Settings is present on the infected device, the banking Trojan initiates an HTML page load,” ThreatFabric researchers said. “The page guides users through a manual step-by-step process to enable the Accessibility Service on Android 13 and later.”
With the second new capability, Chameleon will use Android APIs to silently change the lock screen authentication mechanism to a PIN, allowing the malware to unlock the phone if necessary. For this feature to work, accessibility services must also be provided.
“The emergence of the new Chameleon banking Trojan is another example of the sophisticated and adaptive threat landscape within the Android ecosystem,” the company said. “This variant has evolved from its previous version, demonstrating increased resilience and advanced new features.”
The new version has also expanded its reach, moving from Australia and Poland to other areas including the United Kingdom and Italy.
Through The HackerNews