1. Home
  2. Software
  3. Chameleon

Chameleon

Chameleon is an Android banking trojan that can leverage Android’s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, Chameleon has been observed targeting users in Australia and Poland by masquerading as official applications. A new variant of Chameleon has expanded its targets to include Android users in the United Kingdom and Italy.[1][2]

ID: S1083
Type: MALWARE
Platforms: Android
Contributors: Liran Ravich, CardinalOps; Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India; Yasuhito Kawanishi, NEC Corporation
Version: 2.0
Created: 16 August 2023
Last Modified: 24 October 2025
Version Permalink
Mobile Layer
download view

Techniques Used

Domain ID Name Use
Mobile T1453 Abuse Accessibility Features

After accessibility permissions are granted, Chameleon has used the Accessibility Service to perform a variety of actions, such as switching from biometric authentication to PIN authentication, automatically granting additional permissions, preventing uninstallation, disabling Play Protect.[1][2]

Mobile T1517 Access Notifications

Chameleon has registered as an SMSBroadcast receiver to monitor incoming SMS messages.[1]
Mobile T1437 Application Layer Protocol

Chameleon has used a SOCKS proxy.[2]
.001 Web Protocols

Chameleon has used HTTP to communicate with the C2 server.[1]
Mobile T1616 Call Control

Chameleon has the ability to control calls.[2]
Mobile T1533 Data from Local System

Chameleon has gathered cookies and device logs.[1][2]
Mobile T1407 Download New Code at Runtime

Chameleon has the ability to download new code at runtime.[1]
Mobile T1646 Exfiltration Over C2 Channel

Chameleon has sent stolen data over HTTP.[1]
Mobile T1629 .001 Impair Defenses: Prevent Application Removal

Chameleon has prevented application removal by abusing Accessibility Services.[1][2]
.003 Impair Defenses: Disable or Modify Tools

Chameleon has the ability to disable Google Play Protect.[1][2]
Mobile T1630 Indicator Removal on Host

Chameleon has removed artifacts of its presence and has the ability to uninstall itself.[1]
Mobile T1544 Ingress Tool Transfer

Chameleon has downloaded HTML overlay pages after installation.[1]
Mobile T1417 .001 Input Capture: Keylogging

Chameleon has logged keystrokes of an infected device.[1] Additionally, Chameleon has stolen PINs, passwords and graphical keys through keylogging functionalities.[2]

.002 Input Capture: GUI Input Capture

Chameleon has performed overlay attacks against a device by injecting HTML phishing pages into a webview.[1] Chameleon has launched overlay attacks through the "Injection" activity.[2]

Mobile T1430 Location Tracking

Chameleon has gathered device location data.[1]
Mobile T1461 Lockscreen Bypass

Chameleon has the ability to bypass the biometric prompt for unlocking an infected device, forcing the victim to use PIN authentication. To do so, Chameleon will first check specified conditions, then will use the AccessibilityEvent action to transition from biometric authentication to PIN authentication.[2]

Mobile T1655 .001 Masquerading: Match Legitimate Name or Location

Chameleon has disguised itself as legitimate applications, such as a cryptocurrency application called ‘CoinSpot,’ the IKO banking application in Poland, and an application used by the Australian Taxation Office (ATO). It has also used familiar icons, such as the Chrome and Bitcoin logos.[1][2]

Mobile T1575 Native API

Chameleon has used the KeyguardManager API to evaluate the device’s locking mechanism and the AlarmManager API to schedule tasks.[2]

Mobile T1509 Non-Standard Port

Chameleon has communicated over port 7242 using HTTP.[1]
Mobile T1660 Phishing

Chameleon has been distributed using phishing links and a Content Distribution Network (CDN) for file distribution.[2]

Mobile T1636 .004 Protected User Data: SMS Messages

Chameleon has gathered SMS messages.[1]
Mobile T1603 Scheduled Task/Job

Chameleon has used the AlarmManager API to schedule tasks.[2]

Mobile T1513 Screen Capture

Chameleon has captured the device’s screen.[2]
Mobile T1418 Software Discovery

Chameleon has read the name of application packages.[1]
Mobile T1426 System Information Discovery

Chameleon has the ability to gather basic device information, such as version, model, root status, and country.[1] Chameleon has also checked the restricted settings status of the device. If the Android 13 Restricted Settings status is present, an HTML page with instructions on how to enable the Accessibility Service will be shown to the user. Additionally, Chameleon has checked the keyguard’s status regarding how the device is locked (e.g. pattern, PIN or password).[2]

Mobile T1633 .001 Virtualization/Sandbox Evasion: System Checks

Chameleon has performed system checks to verify if the device is rooted or has ADB enabled; if found, Chameleon will avoid execution.[1]

References

  1. Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.
  1. ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.