Android Malware ‘Chameleon’ Disguises as Legitimate Banking and Government Apps

19.04.23

Threat Intelligence Alerts

Cyble Research & Intelligence Labs (CRIL) has posted an article raising awareness of a new Android Trojan, ‘Chameleon’, which has been active since the beginning of 2023 and specifically targeted users in Australia and Poland. Chameleon tricks users by mimicking several applications, including the Australian Government Agency, the mobile app for a large bank in Poland and a cryptocurrency app, ‘CointSpot’. Since its initial observations in January 2023, it has disguised itself as many other apps, such as ChatGPT and Google Chrome. 

The application is distributed through several platforms, including compromised websites, BitBucket and Discord attachments and has several worrying capabilities: 

Cyble notes that Chameleon is still in its early development stages and may become an even more powerful malware with time. 

Once a device has Chameleon installed, it asks the user to activate the Accessibility Service, a service used by genuine applications to help users with disabilities, such as screen readers and voice access. To complete these tasks, the Accessibility Service hands over sensitive information, such as observing the users’ actions, retrieving window content and performing gestures on the users’ behalf. 

Once this service is activated, Chameleon uses it to escalate its permissions, prevent uninstallation, and disable Play Protect. It then connects to the Command-and-Control Server to send device information.

Chameleon has some significantly concerning features, but its current form will only pose a threat once installed on a user’s device. To protect yourself and your organisation, several essential security practices can be followed to prevent this malware from being installed: 

https://blog.cyble.com/2023/04/13/chameleon-a-new-android-malware-spotted-in-the-wild/ – Published 13th April 2023