NEWS  Security  December 23, 2023  Reading time: 2 Minute(s)

Max (RS editor)

In a recent report, Dutch mobile security firm ThreatFabric has uncovered an updated variant of the notorious Chameleon banking malware, expanding its reach to users in the United Kingdom and Italy. Representing a refined iteration of its predecessor, this evolved Chameleon variant excels in executing Device Takeover (DTO) using Android's accessibility service, showcasing an alarming sophistication in its capabilities.

The Chameleon's Previous Exploits

Initially documented by Cyble in April 2023, Chameleon had targeted users in Australia and Poland, employing tactics like phishing and overlay attacks. Impersonating legitimate institutions such as the Australian Taxation Office and a cryptocurrency trading platform called CoinSpot, the malware sought to deceive users and gain access to sensitive data through Android's accessibility service.

Zombinder's Role in the Resurgence

ThreatFabric's latest findings highlight that the banking trojan is now distributed via Zombinder, an off-the-shelf dropper-as-a-service (DaaS). Previously suspected to be shut down, Zombinder resurfaced, offering capabilities to bypass Android's 'Restricted Settings' feature and install malware on devices. The use of Zombinder underscores the adaptability of threat actors and their ability to evolve malicious techniques.

Advanced Features of the Enhanced Variant

The enhanced Chameleon variant introduces a new level of sophistication by utilizing Android APIs to disrupt the biometric operations of targeted devices. It covertly transitions the lock screen authentication mechanism to a PIN, granting the malware the ability to "unlock the device at will" through the accessibility service. Additionally, the malware now specifically targets Android 13 and later versions, demonstrating a keen awareness of the evolving Android ecosystem.

Growing Threat Landscape

ThreatFabric's report is just one example of the evolving threat landscape within the Android ecosystem. As the Chameleon banking trojan adapts and demonstrates increased resilience, cybersecurity experts warn of the rising sophistication of Android-based threats. The development coincides with Zimperium's revelation that 29 malware families, including 10 new ones, targeted 1,800 banking applications across 61 countries in the past year.

Global Impact and Top Targets

The U.S. remains a prime target, with 109 banking applications affected, followed by the U.K. and Italy. Noteworthy financial institutions, including Bank of America, Wells Fargo, Barclays, and QNB Finansbank, have become focal points for these cyber threats. As the threat landscape expands, traditional banking applications continue to be the primary targets, constituting 61% of the attacks, while emerging FinTech and Trading apps make up the remaining 39%.

The emergence of the evolved Chameleon banking trojan underscores the constant evolution and adaptability of cyber threats within the Android ecosystem. As threat actors employ increasingly sophisticated techniques, cybersecurity measures must evolve in tandem to protect users and institutions from the expanding menace of banking trojans and other malicious activities. Vigilance and proactive security measures are imperative to mitigate the risks posed by the dynamic and relentless nature of the cyber threat landscape.

 COVER IMAGE BY RAWPIXEL.COM ON FREEPIK