A new Android Trojan called Chameleon has been targeting users in Australia and Poland since earlier this year, mimicking the Australian cryptocurrency exchange CoinSpot, an Australian government agency, and the Polish bank IKO.
The mobile malware was discovered in the wild (ITW) by cybersecurity company Cyble, reporting Chameleon spread through hacked websites, Discord attachments, and Bitbucket hosting services.
The Chameleon Trojan includes a wide range of malicious features, such as stealing user credentials using overlay injections and keylogging, stealing cookies and SMS texts from an infected device.
When launched, the malware performs a series of checks to avoid detection by security software. These checks include determining the environment the app is running in (sandboxed or not), whether the device is rooted, and whether debugging is enabled in developer options. All of these factors give attackers a clue as to whether the Trojan is on the device of a regular user or a security researcher.
If the environment is acceptable, the infection continues and Chameleon asks the victim for permission to use an accessibility service, which he abuses to grant himself additional permissions and make it harder to remove from the victim's device. The malware also requests that Google Play Protect be disabled so that the system does not detect the installation of additional payloads.
When it first connects to the C2 server, the malware sends data about the device model, operating system version, root status, the victim's country of residence, and even the exact coordinates of the device's location.
Depending on what service the malware pretends to be, when it starts, it opens a perfectly legitimate URL for that service in a WebView, but the malicious modules start loading in the background. These include a cookie thief, a keylogger, a phishing page injector, a PIN/lock screen code interceptor, and an SMS hijacker that can intercept one-time passwords (OTP) and help attackers bypass 2FA protection.
Even if the victim suspects something is wrong, due to the cunning algorithm of the built-in protection, the usual removal of the malware will not lead to the desired result. Moreover, the Trojan can be added to the system autostart, and will reconnect with the C2 server when the device is restarted.
Most of these malicious programs rely on the abuse of accessibility services, which is what gives them such extensive functionality. Therefore, unfamiliar applications should never be given such access, especially if there is no clear certainty that they really need it.
Cyble also discovered code that allows Chameleon to download an additional payload and store it on the device as a ".jar" file for later execution through the DexClassLoader. However, this feature is currently not exploited by attackers.
Chameleon is a new mobile threat that may add even more new features and functionality in future versions. Android users are advised to be careful with the apps they install on their devices. It is worth downloading software only from official stores, and the Google Play Protect system must always be enabled.