Illustration of cybercriminal using Chameleon malware to steal login credentials, passwords, and OTPs to commit account takeover fraud

A sneaky banking Trojan malware known as “Chameleon” has emerged as one of the latest cybersecurity threats targeting Android devices. Discovered by leading cybersecurity experts earlier this year, Chameleon malware is notably distinct from previously known Trojan families, bearing some resemblance to Xenomorph samples.

This blog dives deep into Chameleon’s threat, its unique features, propagation methodologies, functionalities, Android permissions, and ways to stay safe.

What is Chameleon Malware?

Chameleon malware has primarily targeted users in Australia and Poland since January 2023. The malware is disguised as legitimate apps. Impersonated apps have included the CoinSpot cryptocurrency exchange, an Australian government agency, and the IKO bank. 

How Chameleon Works

Once installed, Chameleon can steal the infected device’s user credentials, cookies, and SMS texts. It can also overlay fake login screens on top of legitimate apps, which can trick users into entering their credentials.

Chameleon is a relatively new malware, but it has already been seen being distributed through compromised websites, Discord attachments, and Bitbucket hosting services. The malware will continue to evolve and become more sophisticated in the future.

Chameleon’s Attack Pattern

Once installed, Chameleon malware can perform a wide range of malicious activities, including:

  • Stealing user credentials from banking apps, cryptocurrency wallets, and other financial services.
  • Injecting fake login screens over legitimate apps to trick users into entering their credentials.
  • Stealing cookies and other session data from infected devices.
  • Capturing SMS messages to obtain one-time passcodes (OTPs) and bypass 2FA systems.
  • Collecting victim’s device passwords (PINs, swipe patterns, or passwords).
  • Preventing analysis of malware (anti-emulation, disabling Google Play Protect).

Chameleon Generic Information

Although only discovered recently, Chameleon has been swiftly detected by more than 36 antivirus engines. The Trojan uses the accessibility service, a common trait among banking Trojans, to impersonate popular applications such as CoinSpot, Google Chrome, and even ChatGPT. Chameleon is currently known to target users in Australia and Poland, but the possibility of its expansion to other regions must be considered.

Furthermore, Chameleon exhibits robust development with a strong potential for adding new features, functionalities, and obfuscation methods. It is commonly distributed via Discord links, Bitbucket hosting services, or compromised websites, with no detected samples on Google Play yet.

The malware employs various deceptive tactics, such as automatically downloading the malicious application when a user enters a URL in their browser, thereby making it crucial for users to disable automatic downloads in their browser settings.

Chameleon comes packed with several damaging functionalities, including keylogging, overlay attacks, SMS capture, and the ability to prevent uninstallation, to name a few. These capabilities present a stark reminder of the need for users to be wary of installing applications from unknown sources and adequately configuring their devices.

Chameleon Malware Android Permissions

Chameleon’s intrusiveness is further exemplified by the permissions it requests, which starkly contrast with those typically needed by the applications it impersonates. These permissions range from accessing and altering phone states, reading and writing contacts, and SMS capture to more invasive permissions like recording audio and modifying phone states.

Spotting and Removing Chameleon

Individuals who believe their Android devices may be infected with Chameleon malware should take the following steps:

  • Scan devices with a reputable antivirus or anti-malware program.
  • Uninstall any suspicious apps that aren’t recognized.
  • Change passwords for online accounts and the lock pattern of the mobile device.
  • Be careful about what apps are installed on your device and only download apps from trusted sources.

Download our threat analysis report to truly understand the threat Chameleon Malware creates. 

The fight against cybersecurity threats like Chameleon necessitates a collaborative approach. Reporting suspicious behaviors and sharing knowledge within the community can be instrumental in preventing and mitigating these threats.

Remember, in the realm of cybersecurity, vigilance is our most potent weapon. Stay safe and stay vigilant.