A new type of Android Banking Trojan, referred to as "Chameleon," has recently been discovered. This malware is unique as it appears to be a new strain and doesn't resemble any known Trojan families. Since January 2023, Chameleon has been targeting users in Australia and Poland by disguising itself as legitimate apps like CoinSpot, a government agency in Australia, and IKO bank from Poland. It has also been observed using icons of different software to infect Android users. The Trojan is distributed through compromised websites, Discord attachments, and Bitbucket hosting services.
Chameleon has several capabilities, including keylogging, overlay attacks, SMS-harvesting, cookie stealing, lock grabbing, preventing uninstallation, anti-emulation techniques, auto-uninstallation, and disabling Google Play Protect. It is currently in its early stages of development and primarily uses injection and keylogging techniques to steal users' credentials. However, it's possible that new features may be added to the malware in the future.
The malware initially performs anti-emulation checks to verify whether the device is rooted or debugging is activated. If the malware identifies any of these emulation checks, it will terminate its execution. Once it identifies the targeted device, Chameleon requests the victim to activate the Accessibility Service. Once the victim grants permission, the malware exploits the Accessibility Service to perform malicious activities such as automatically granting permissions, preventing uninstallation, disabling Play Protect, and more.
Chameleon Android Spyware Signatures
Chameleon Android Spyware Download