Chameleon Mobile Malware
A new form of Android Trojan referred to as 'Chameleon,' has been detected targeting users in both Australia and Poland since the start of 2023. This particular malware is designed to mimic legitimate entities such as the CoinSpot cryptocurrency exchange, an Australian government agency, and the IKO bank.
According to cybersecurity firm Cyble, the distribution of this mobile malware is believed to have occurred through various channels. These include compromised websites, attachments on the popular communication platform Discord, and hosting services provided by Bitbucket. In addition, the Chameleon Android trojan boasts a broad spectrum of harmful capabilities, which comprise the theft of user credentials through overlay injections and keylogging, as well as the collection of cookies and SMS messages from the compromised device.
Table of Contents
Chameleon Performs Various Anti-Detection Checks
Upon execution on the breached Android device, the Chameleon mobile malware employs several techniques to elude detection by security software. These tactics include anti-emulation checks to determine whether the device is rooted and if debugging has been activated. If the threat detects that it is running in an analyst's environment, it may abort the infection process altogether to avoid detection.
If it determines that the environment is safe, Chameleon proceeds with its malicious programming and prompts the victim to authorize it to use the Accessibility Service. This permission is then exploited by the threat to grant itself additional privileges, turn off the Google Play Protect, and prevent the victim from uninstalling the Trojan.
Attackers can Perform Various Threatening Activities through Chameleon Mobile Malware
Upon establishing a connection with the Command and Control (C2) server, the Chameleon malware initiates communication by sending the device's version, model, root status, country, and precise location. This is believed to be an attempt to profile the new infection and tailor its activities accordingly.
Subsequently, depending on the entity that the malware is impersonating, it opens a legitimate URL in a WebView and commences the loading of malicious modules in the background. These modules include a cookie stealer, a keylogger, a phishing page injector, a lock screen PIN/pattern grabber, and an SMS stealer. The latter is particularly concerning as it can extract one-time passwords, thereby allowing the attackers to bypass two-factor authentication protections.
To carry out its data-collecting activities, the Chameleon malware relies on the abuse of Accessibility Services. This grants the malware the ability to monitor screen content, detect specific events, modify interface elements, and send necessary API calls as required.
The Chameleon Mobile Malware Establishes Persistence on Infected Devices
In addition to its data-collecting activities, the Chameleon malware also leverages the Accessibility Services to impede the removal of the unsafe application. It accomplishes this by monitoring uninstallation attempts by the victim and deleting the shared preference variables associated with the malware. This makes it appear as though the app has been uninstalled when, in fact, it remains on the device.
Furthermore, cybersecurity firm Cyble has discovered code within Chameleon that allows it to download a payload while in runtime and save it on the host device as a '.jar' file. This file is intended to be executed later via DexClassLoader. However, this feature does not appear to be currently in use by the malware.
