A new threat “chameleon android malware” to Android users was recently seen in Australia and Poland. Dubbed Chameleon, this trojan has been mimicking cryptocurrency exchanges. It also mimics government agencies, and banks in these countries since the start of 2021. A cybersecurity firm brought issue into the light. The malware has been spreading through Discord attachments, compromised websites, and Bitbucket hosting services, among other channels. This is a newest addition to the long list of malware attacks.
Chameleon is particularly malicious. It can perform a range of malicious functions. It can steal user data, cookies, and credentials through overlay injections, keylogging, and SMS texts from infected devices.
Focused on Evading Detection – Chameleon Android Malware
One of the most concerning things about Chameleon is how it evades detection by security software. When launched, the malware performs a variety of checks. It is to determine if it is being under monitoring by an analyst or if the device got root. This makes it much more difficult to detect and remove.
Once it finds itself in a “clean” environment, Chameleon android malware will request permission from the victim to use Accessibility Services. It abuses these Services to grant itself additional permissions. It disables Google Play Protect and prevent the malware from being uninstall by the victim.
Upon connecting with the C2, Chameleon sends the device version, root status, model, precise location, and country, which profiles the new infection. Depending on which entity the malware is impersonating, it will open its legitimate URL. It will open it in a WebView and load malicious modules in the background.
These include a cookie stealer, a keylogger, a phishing page injector, a PIN/pattern grabber for lock screens, and an SMS stealer that can circumvent 2FA protections by snatching one-time passwords.
Abuse of Accessibility Services
Chameleon abuses Accessibility Services. It is to monitor screen content, specific events, intervene to change interface elements, or send certain API calls as needed. This system service is also abused to prevent the uninstallation of the malware. When the victim tries to remove the malicious app, the malware identifies it and deletes its shared preference variables. It makes it seem like it is no longer present on the device.
The wiping of shared preference files forces the app to re-establish communication with the C2 the next time it launches. But it is more difficult for researchers to analyze.
Furthermore, the malware is capable of downloading a payload at runtime, saving it as a “.jar” file, and executing it later via DexClassLoader. However, this feature is currently unused.
Chameleon poses a new threat to Android users, and it is likely that we will see more advanced versions of the malware in the future. Users are advised to be cautious about the apps they install on their devices, only downloading software from official stores and ensuring that Google Play Protect is always enabled.
It is also essential to stay up-to-date with news about these types of threats and to stay away from suspicious links and unknown files, as this is how most Trojan malware spreads. As cybersecurity firms and mobile operating systems develop new tools to combat these attacks, users must remain vigilant and understand how to protect themselves against these dangerous threats.