Chameleon Malware Blocks Android Fingerprint Authentication To Steal Your PIN
Android malware is evolving and acquiring terrifying new capabilities, such as the Chameleon banking trojan, which was first discovered in early 2023. The new update gives the malicious app incredible new capabilities, such as preventing access to your PIN or password during fingerprint authentication. . .
Most Android users don't need to worry about Chameleon as long as they only download apps from the Google Play Store and know how to avoid online phishing. Chameleon can only be installed on your device if you download apps from third party websites.
The latest Chameleon malware may appear as a Chrome browser app. The app has dangerous malware attached to it, tricking you into thinking you are getting a genuine product from Google. The solution here is simple: look for applications in the Play Store and do not install them anywhere else.
Cybersecurity researchers from ThreatFabric have detailed the new and improved version of Chameleon.
One of the improvements of this malware is its greater reach. It was discovered in the UK and Italy, while the original versions were only targeted at Android users in Australia and Poland. The first version of the Trojan already had dangerous capabilities and was aimed at the user's banking and cryptographic applications:
this banking Trojan demonstrated a strong ability to manipulate the victim's device and perform actions on its behalf through the proxy function. This feature enables advanced maneuvers such as account takeover (ATO) and device takeover (DTO) attacks, particularly targeting banking applications and cryptocurrency services. These features were based on abuse of access rights to the Accessibility Service.
In Australia they are disguised as requests from official agencies such as the Australian Taxation Office (ATO). In Poland, it was disguised as a popular mobile banking application.
The updated version, which is distributed throughout Europe, can be downloaded for the Google Chrome browser.
Once installed, Chameleon attempts to do two things: enable accessibility services and disable biometric queries.
In the first stage, the malware looks for the version of the Android phone. When Android 13 or later is detected, an HTML page is displayed that guides the user through the process of enabling accessibility on the device. The site offers step-by-step instructions and appears to be a real help for unsuspecting victims.
The second new feature of Chameleon is the ability to disable biometric authentication in favor of a PIN code:
this method uses the KeyguardManager API and AccessibilityEvent to evaluate the state of the screen and keyboard. Evaluates the status of the key owner relative to various locking mechanisms such as pattern, PIN or password. When the specified conditions are met, the malware uses the AccessibilityEvent action to switch from biometric authentication to PIN authentication. This bypasses the biometric message, allowing the Trojan to unlock the device at will.
This feature allows malware to steal PINs and passwords using keylogger software. This could allow thieves to steal the phone and use it.
Alternatively, forcing PIN authentication could be useful if hackers could use malware to remotely boot the phone. You can unlock your screen and protected apps using the same fingerprint and password combination. While this is just speculation, it is clear that Chameleon is a more advanced and dangerous version than the one released in early 2023. Finally,
Threat Farbic researchers claim that Chameleon also has improved task scheduling capabilities and can adapt to the applications the user may be using. Device. . Malware can add functionality to an app, such as displaying fake screens that may appear genuine if accessibility features are enabled. Otherwise, malware can collect data about priority applications.
Google is aware of the threat and told The Hacker News that Play Protect will protect users from the threat:
The emergence of the new banking Trojan Chameleon is another example of the evolving and adapting threat landscape in the Android ecosystem. This option is a development of the previous version and is characterized by greater reliability and new advanced functions.
But ultimately, you should avoid downloading apps from untrusted sources. This means never click on suspicious links that you may receive via email or instant chat apps. All of this goes double if you have a phone that doesn't have Google Play Services installed. This is the only way to use the Play Protect feature that Google has enabled by default on devices with the Google Play Store installed.
I would also say that if you have an Android phone that doesn't support Google apps, you should probably avoid downloading those Google apps from anywhere. This is how you can get into trouble.
