Domain | ID | Name | Use | |
---|---|---|---|---|
Mobile | T1517 | Access Notifications |
Chameleon can register as an |
|
Mobile | T1437 | .001 | Application Layer Protocol: Web Protocols |
Chameleon can use HTTP to communicate with the C2 server.[1] |
Mobile | T1533 | Data from Local System | ||
Mobile | T1407 | Download New Code at Runtime | ||
Mobile | T1646 | Exfiltration Over C2 Channel | ||
Mobile | T1629 | .001 | Impair Defenses: Prevent Application Removal |
Chameleon can prevent application removal by abusing Accessibility Services.[1] |
.003 | Impair Defenses: Disable or Modify Tools | |||
Mobile | T1630 | Indicator Removal on Host |
Chameleon can remove artifacts of its presence and uninstall itself.[1] |
|
Mobile | T1544 | Ingress Tool Transfer |
Chameleon can download HTML overlay pages after installation.[1] |
|
Mobile | T1417 | .001 | Input Capture: Keylogging |
Chameleon can log keystrokes and gather the lock screen password of an infected device by abusing Accessibility Services.[1] |
.002 | Input Capture: GUI Input Capture |
Chameleon can perform overlay attacks against a device by injecting HTML phishing pages into a webview.[1] |
||
Mobile | T1430 | Location Tracking | ||
Mobile | T1655 | .001 | Masquerading: Match Legitimate Name or Location |
Chameleon has disguised itself as other applications, such as a cryptocurrency app called ‘CoinSpot’, and IKO bank in Poland. It has also used familiar icons, such as the Chrome and Bitcoin logos.[1] |
Mobile | T1509 | Non-Standard Port | ||
Mobile | T1636 | .004 | Protected User Data: SMS Messages | |
Mobile | T1418 | Software Discovery | ||
Mobile | T1426 | System Information Discovery |
Chameleon can gather basic device information such as version, model, root status, and country.[1] |
|
Mobile | T1633 | .001 | Virtualization/Sandbox Evasion: System Checks |
Chameleon can perform system checks to verify if the device is rooted or has ADB enabled and can avoid execution if found.[1] |