December 22, 2023 at 12:54PM
The Chameleon Android banking trojan, detected by ThreatFabric, has expanded its reach to the UK and Italy from its initial targets in Australia and Poland. The malware employs various tactics, such as phishing pages and accessing Accessibility Services, to perform Account Takeover and Device Takeover attacks, targeting banking and cryptocurrency applications. Additionally, ThreatFabric has identified an updated variant distributed through Zombinder, which includes advanced features like interrupting biometric operations and implementing task scheduling using the AlarmManager API.
Key takeaways from the meeting notes on the Chameleon Android banking trojan include:
1. The new variant of the Chameleon trojan has expanded its targeting to the UK and Italy, after initially focusing on Australia and Poland.
2. The trojan employs a proxy feature and abuses Accessibility Services to engage in Account Takeover (ATO) and Device Takeover (DTO) attacks, mainly targeted at banking and cryptocurrency applications.
3. It was being distributed through phishing pages, posing as legitimate applications, and using a legitimate content distribution network for file distribution.
4. The updated Chameleon variant is distributed through the Zombinder, using a sophisticated two-staged payload process, deploying the Hook malware family along with Chameleon.
5. The new variant includes a device-specific check that targets the ‘Restricted Settings’ protections introduced in Android 13, as well as a feature to interrupt biometric operations on the victim’s device.
6. It also introduces task scheduling using the AlarmManager API, allowing it to collect information on user apps to identify the foreground application and display overlays if the Accessibility option is not implemented.
These takeaways summarize the important aspects of the Chameleon Android banking trojan discussed in the meeting.