A brand new variant of the Chameleon Android malware has been discovered in the wild, featuring new characteristics, the most notable of which is the ability to bypass fingerprint locks.
The Chameleon Android banking malware first appeared in early 2023, primarily targeting mobile banking apps in Australia and Poland, but it has since propagated to other countries, including the UK and Italy. The trojan employs multiple loggers but has limited functionality.
Earlier versions of Chameleon could perform actions on the victim's behalf, allowing those behind the malware to carry out account and device takeover attacks. Chameleon has usually leveraged the Android Accessibility Service to extract sensitive data from endpoints and mount overlay attacks, ThreatFabric researchers explained.
The updated version, on the other hand, has two new features: the ability to circumvent biometric prompts and the ability to display an HTML page to allow accessibility service in devices that use Android 13's "Restricted Settings" feature. According to the researchers, the new Chameleon variant's complexity and adaptability have been enhanced, making it a more potent threat in the constantly evolving field of mobile banking trojans.
The new Chameleon variation starts by determining whether the operating system is Android 13 or newer. If it is, the malware prompts the user to enable accessibility services, even guiding the user through the procedure.Once completed, the malware is able to perform unauthorised acts on the user's behalf.
While this is a common feature across malware families, what makes this particular aspect intriguing is the ability to disrupt the targeted device's biometric processes and get around fingerprint locks.
The method uses the AccessibilityEvent system-level event for Android and the KeyguardManager application programming interface to determine the screen and keyguard state based on UI changes. Keyguard is an Android system component that controls security features on devices, including screen lock and authentication mechanisms.
The malware assesses the state of the keyguard in terms of various locking techniques, such as pattern, PIN, or password. When specific requirements are met, the malware will use the AccessibilityEvent action to switch from biometric to PIN authentication. This gets around the biometric question, allowing the trojan to unlock the device whenever it wants.
The method is believed to offer those behind the malware with two advantages: the ability to simplify the theft of PINs, passwords, or graphical keys by bypassing biometric data via keylogging functionalities, and the ability to open devices using previously acquired PINs or passwords.
“The emergence of the new Chameleon banking trojan is another example of the sophisticated and adaptive threat landscape within the Android ecosystem,” the researchers concluded. “Evolving from its earlier iteration, this variant demonstrates increased resilience and advanced new features.”
