A new Android trojan known as Chameleon has been detected by cybersecurity firm Cyble, targeting users in Australia and Poland. The malware is reportedly distributed through compromised websites, Discord attachments, and Bitbucket hosting services, and mimics the CoinSpot cryptocurrency exchange, an Australian government agency, and the IKO bank.
Chameleon includes a variety of malicious functions, such as stealing user credentials through overlay injections and keylogging, cookies, and SMS texts from the infected device.
Upon launch, the malware performs numerous checks to evade detection by security software, including anti-emulation checks to detect if the device is rooted and debugging is activated, increasing the likelihood that the app is running in an analyst’s environment.
If the environment appears clean, the infection continues, and Chameleon requests the victim to permit it to use the Accessibility Service, which it abuses to grant itself additional permissions, disable Google Play Protect, and stop the user from uninstalling it.
The malware then sends the device version, model, root status, country, and precise location upon first connection with the C2, probably to profile the new infection.
Depending on what entity the malware impersonates, it opens its legitimate URL in a WebView and starts loading malicious modules in the background, including a cookie stealer, a keylogger, an injector of phishing pages, a lock screen PIN/pattern grabber, and an SMS stealer that can snatch one-time passwords and help the attackers bypass 2FA protections.
Most of these data-stealing systems rely on the abuse of Accessibility Services to work as required.
Finally, the same system service is abused to prevent the uninstallation of the malware, identifying when the victim attempts to remove the malicious app and deleting its shared preference variables to make it appear as if it’s no longer present in the device.
The wiping of shared preferences files forces the app to re-establish communications with the C2 the next time it launches but prevents its uninstallation and makes it harder for researchers to analyze.
Android users are advised to be careful with apps they install on their devices, only download software from official stores, and ensure that Google Play Protect is always enabled.
