Chameleon

Chameleon is an Android banking trojan that can leverage Android’s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, Chameleon has been observed targeting users in Australia and Poland by masquerading as official apps.[1]

ID: S1083
Type: MALWARE
Platforms: Android
Contributors: Yasuhito Kawanishi, NEC Corporation; Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India
Version: 1.0
Created: 16 August 2023
Last Modified: 26 September 2023

Techniques Used

Domain ID Name Use
Mobile T1517 Access Notifications

Chameleon can register as an SMSBroadcast receiver to monitor incoming SMS messages.[1]

Mobile T1437 .001 Application Layer Protocol: Web Protocols

Chameleon can use HTTP to communicate with the C2 server.[1]

Mobile T1533 Data from Local System

Chameleon can gather cookies and device logs.[1]

Mobile T1407 Download New Code at Runtime

Chameleon can download new code at runtime.[1]

Mobile T1646 Exfiltration Over C2 Channel

Chameleon can send stolen data over HTTP.[1]

Mobile T1629 .001 Impair Defenses: Prevent Application Removal

Chameleon can prevent application removal by abusing Accessibility Services.[1]

.003 Impair Defenses: Disable or Modify Tools

Chameleon can disable Google Play Protect.[1]

Mobile T1630 Indicator Removal on Host

Chameleon can remove artifacts of its presence and uninstall itself.[1]

Mobile T1544 Ingress Tool Transfer

Chameleon can download HTML overlay pages after installation.[1]

Mobile T1417 .001 Input Capture: Keylogging

Chameleon can log keystrokes and gather the lock screen password of an infected device by abusing Accessibility Services.[1]

.002 Input Capture: GUI Input Capture

Chameleon can perform overlay attacks against a device by injecting HTML phishing pages into a webview.[1]

Mobile T1430 Location Tracking

Chameleon can gather device location data.[1]

Mobile T1655 .001 Masquerading: Match Legitimate Name or Location

Chameleon has disguised itself as other applications, such as a cryptocurrency app called ‘CoinSpot’, and IKO bank in Poland. It has also used familiar icons, such as the Chrome and Bitcoin logos.[1]

Mobile T1509 Non-Standard Port

Chameleon can communicate over port 7242 using HTTP.[1]

Mobile T1636 .004 Protected User Data: SMS Messages

Chameleon can gather SMS messages.[1]

Mobile T1418 Software Discovery

Chameleon can read the name of application packages.[1]

Mobile T1426 System Information Discovery

Chameleon can gather basic device information such as version, model, root status, and country.[1]

Mobile T1633 .001 Virtualization/Sandbox Evasion: System Checks

Chameleon can perform system checks to verify if the device is rooted or has ADB enabled and can avoid execution if found.[1]

References