A new variant of an Android banking Trojan has appeared that can bypass biometric security to break into devices, demonstrating an evolution in the malware that attackers now are wielding against a wider range of victims.

The Chameleon banking Trojan — so-named for its ability to adapt to its environment through multiple new commands — first appeared on the scene in a “work-in-progress” version in January, specifically to target users in Australia and Poland. Spread through phishing pages, the malware’s behavior then was characterized by an ability to impersonate trusted apps, disguising itself as institutions like the Australian Taxation Office (ATO) and popular banking apps in Poland to steal data from user devices.

Now, researchers at Threat Fabric have spotted a new, more sophisticated version of Chameleon that also targets Android users in the UK and Italy, and spreads through a Dark Web Zombinder app-sharing service disguised as a Google Chrome app, they revealed in a blog post published Dec. 21.

The variant includes several new features that make it even more dangerous to Android users that its previous incarnation, including a new ability to interrupt the biometric operations of the targeted device, the researchers said.

By unlocking biometric access (facial recognition or fingerprint scans, for example), attackers can access PINs, passwords, or graphical keys through keylogging functionalities, as well as unlock devices using previously stolen PINs or passwords. “This functionality to effectively bypass biometric security measures is a concerning development in the landscape of mobile malware,” according to Threat Fabric’s analysis.

The variant also has an expanded feature that leverages Android’s Accessibility service for device takeover attacks, as well as a capability found in many other trojans to allow task scheduling using the AlarmManager API, the researchers found.

“These enhancements elevate the sophistication and adaptability of the new Chameleon variant, making it a more potent threat in the ever-evolving landscape of mobile banking trojans,” they wrote.

Chameleon: A Shape-Shifting Biometric Capability

Overall, the three distinct new features of Chameleon demonstrate how threat actors respond to and continuously seek to bypass the latest security measures designed to combat their efforts, according to Threat Fabric.

The malware’s key new ability to disable biometric security on the device is enabled by issuing the command “interrupt_biometric,” which executes the “InterruptBiometric” method. The method uses Android’s KeyguardManager API and AccessibilityEvent to assess the device screen and keyguard status, evaluating the state of the latter in terms of various locking mechanisms, such as pattern, PIN, or password.

Upon meeting the specified conditions, the malware uses this action to transition from biometric authentication to PIN authentication, bypassing the biometric prompt and allowing the Trojan to unlock the device at will, the researchers found.

This, in turn, provides attackers with two advantages: making it easy to steal personal data such as PINs, passwords, or graphical keys, and allowing them to enter biometrically protected devices using previously stolen PINs or passwords by leveraging Accessibility, according to Threat Fabric.

“So although the victim’s biometric data remains out of reach for actors, they force the device to fall back to PIN authentication, thereby bypassing biometric protection entirely,” according to the post.

Another key new feature is an HTML prompt to enable the Accessibility service, on which Chameleon depends to launch an attack to take over the device. The feature involves a device-specific check activated upon the receipt of the command “android_13” from the command-and-control (C2) server, displaying an HTML page that prompts users to enable the Accessibility service and then guiding them through a manual step-by-step process.

A third feature in the new variant introduces a capability also found in many other banking Trojans, but which until now Chameleon did not have: task scheduling using the AlarmManager API.

However, as opposed to other manifestations of this feature in banking Trojans, Chameleon’s implementation takes a “dynamic approach, efficiently handling accessibility and activity launches in line with standard trojan behavior,” according to Threat Fabric. It does this by supporting a new command that can determine whether accessibility is enabled or not, dynamically switching between different malicious activities depending on the state of this feature on the device.

“The manipulation of accessibility settings and dynamic activity launches further underscore that the new Chameleon is a sophisticated Android malware strain,” according to Threat Fabric.

Android Devices at Risk From Malware

With attacks against Android devices soaring, it’s more crucial than ever for mobile users to be wary of downloading any applications on their device that seem suspicious or aren’t distributed through legitimate app stores, security experts advise.

“As threat actors continue to evolve, this dynamic and vigilant approach proves essential in the ongoing battle against sophisticated cyber threats,” the researchers wrote.

Threat Fabric managed to track and analyze samples of Chameleon related to the updated Zombinder, which uses a sophisticated two-staged payload process to drop the Trojan. “They employ the SESSION_API through PackageInstaller, deploying the Chameleon samples along with the Hook malware family,” according to the post.

Threat Fabric published indicators of compromise (IoCs) in its analysis, in the form of hashes, app names, and package names associated with Chameleon so users and administrators can monitor for potential infection by the Trojan.

Source: www.darkreading.com