Chameleon Android Banking Trojan variant bypasses biometric authentication

Bypass Biometric Authentication

Cybersecurity researchers have discovered an updated version of Chameleon, an Android banking malware, that has expanded its targeting to users in Britain and Italy.

“This evolved Chameleon variant represents a restructured and improved version of its predecessor and excels at performing Device Takeover (DTO) using the Accessibility Service while expanding its targeted region,” said Dutch mobile security company ThreatFabric said in a report shared with The Hacker News.

Chameleon was previously documented by Cyble in April 2023, noting that it had been used to select users in Australia and Poland since at least January. Like other banking malware, it is known to abuse Android’s Accessibility Service permissions to collect sensitive data and perform overlay attacks.

The rogue apps containing the earlier version were hosted on phishing pages and were found to be posing as real institutions in the countries, such as the Australian Taxation Office (ATO) and a cryptocurrency trading platform called CoinSpot, in an attempt to shroud them of credibility.

ThreatFabric’s latest findings reveal that the banking Trojan is now being delivered via Zombinder, a turnkey dropper-as-a-service (DaaS) sold to other threat actors that can be used to ‘bind’ malicious payloads . to legitimate apps.

Although the offering was believed to have been discontinued earlier this year, it resurfaced last month with advertising capabilities to bypass Android’s ‘Restricted Settings’ feature to install malware on devices and access the accessibility service.

Both the malicious artifacts that spread Chameleon impersonate the Google Chrome web browser. Their package names are listed below –

  • Z72645c414ce232f45.Z35aad4dde2ff09b48
  • com.busy.lady

A notable feature of the enhanced variant is the ability to perform Device Takeover (DTO) fraud, which uses the accessibility service to perform unauthorized actions on behalf of the victim.

Android Banking Trojan

But to trick users into enabling the setting, the malware checks the Android version on the installed device and if it is found to be Android 13 or higher, the user is prompted to enable it.

“Upon receiving confirmation that Android 13 Restricted Settings is present on the infected device, the banking Trojan initiates the loading of an HTML page,” ThreatFabric explains. “The page guides users through a manual step-by-step process to enable the Accessibility Service on Android 13 and later.”

Another new addition is the use of Android APIs to disrupt the biometrics of the targeted device by covertly switching the lock screen authentication mechanism to a PIN so that the malware can “unlock the device at will” using the Accessibility Service .

“The emergence of the new Chameleon banking Trojan is another example of the sophisticated and adaptive threat landscape within the Android ecosystem,” the company said. “This variant has evolved from its previous version, demonstrating increased resilience and advanced new features.”

The development comes as Zrijke revealed that 29 malware families – 10 of them new – had attacked 1,800 banking applications in 61 countries over the past year. The new active families are Nexus, Godfather, PixPirate, Saderat, Hook, PixBankBot, Xenomorph v3, Vultur, BrasDex and GoatRAT.

The top American countries we focus on are the US (109 banking apps), Great Britain (48), Italy (44), Australia (34), Turkey (32), France (30), Spain (29), Portugal ( 27), Germany (23), Canada (17) and Brazil (11). The most targeted financial services apps are PhonePe (India), WeChat, Bank of America, Well Fargo (US), Binance (Malta), Barclays (UK), QNB Finansbank (Turkey) and CaixaBank (Spain).

“Traditional banking applications remain the top target, with a whopping 1,103 apps – accounting for 61% of targets – while emerging FinTech and commerce apps are now in the crosshairs, making up the remaining 39%,” the company says. said.

#Chameleon #Android #Banking #Trojan #variant #bypasses #biometric #authentication

Notify of
Inline Feedbacks
View all comments
Previous Post
Predator Spyware

Experts describe the multi-million dollar licensing model for Predator spyware

Next Post
JavaScript Malware

New JavaScript malware targets more than 50,000 users at dozens of banks worldwide

Related Posts