Chameleon is a new banking malware that has been plaguing Android since the beginning of the year. It is aimed at users in Australia and Poland, as well as users of the CoinSpot cryptocurrency service.
You will also be interested
[EN VIDÉO] What is a cyber attack? With the development of the Internet and the cloud, cyber attacks are becoming more common…
Researchers at cybersecurity company Cyble have discovered new banking malware on Android. Dubbed Chameleon, it pretends to be the CoinSpot cryptocurrency application, an Australian government agency, or even a Polish bank.
Malware malware can record keystrokes (keylogger), overlay other applications (overlay attack), steal cookies and record lock screen code. It can even read SMSSMS to retrieve one-time codes for two-factor authentication. All data received is sent to a command and control (C&C) server.
Malware that exploits Android accessibility services
Chameleon has been active since at least January 2023 and deceives users with the icon of well-known applications such as Google Chrome, Bitcoin or ChatGPTChatGPT. It also includes multiple defenses. On startup, it checks if the system is an emulation rather than a real Android device. In this case, it disables itself to avoid being detected by cybersecurity specialists. Otherwise, it hijacks the device’s accessibility features to grant itself necessary permissions, disable GoogleGoogle Play Protect and block its own uninstallation.
The good news is that this malware is not (yet?) in the Google Play Store and therefore should not be able to infect those who have not enabled the installation of applications from unknown sources. It was distributed via compromised websites, Discord attachments and even hosted on Bitbucket. However, the researchers point out that Chameleon is still in its infancy. The malware would have the potential to evolve and pose a serious threat.