Recently, mobile security researchers discovered an enhanced version of the malicious Android banking malware known as Chameleon, which has expanded its operations to target users in the United Kingdom and Italy. This evolving variant of Chameleon is proficient in conducting Device Takeover (DTO) attacks using accessibility services, while also extending its reach to new regions.
Previously, Chameleon primarily focused on users in Australia and Poland. The malware utilizes Android’s accessibility service to exploit permissions and gather sensitive user data, as well as carry out overlay attacks. In previous versions, Chameleon was distributed through suspicious applications that impersonated well-known institutions in the respective countries.
However, the latest findings from ThreatFabric, a Dutch provider of mobile security solutions, indicate that this banking trojan is now delivered through Zombinder, a service called “dropper-as-a-service” (DaaS) used by various cybercriminal groups. Zombinder allows malicious payloads to be attached to legitimate applications, enabling discrete distribution of the malware.
An interesting feature of this enhanced version of Chameleon is its ability to perform DTO fraud by utilizing accessibility services to execute unauthorized actions on the victim’s device. To activate this function, the malware checks the Android version and prompts the user to enable the accessibility service if the device runs on Android 13 or newer.
Additionally, the new version disrupts biometric operations on the targeted device, quietly changing the lock screen authentication mechanism to a PIN. This allows the malicious software to unlock the device at its discretion using the accessibility service.
The emergence of this new variant of Chameleon illustrates the ongoing evolution and advanced threats in the Android ecosystem. This malware demonstrates greater resilience and advanced features compared to previous versions.
This discovery accompanies the revelation by Zimperium, a mobile security company, that in the past year, 29 families of malware, including 10 new ones, have targeted 1,800 banking applications in 61 countries. The most vulnerable countries to these attacks are the United States, United Kingdom, Italy, Australia, and Turkey.
Traditional banking applications, which account for 61% of the attacks, are the most common targets of these types of malware. However, fintech and commerce applications are also increasingly being targeted.
As the threat landscape continues to evolve, users must remain vigilant and take necessary precautions to protect their devices and sensitive information from such attacks.
FAQ
What is Chameleon malware?
Chameleon is a malicious Android banking malware that targets devices. It exploits the accessibility service of the system to gather sensitive user data and conduct overlay attacks on banking applications.
How does Zombinder work?
Zombinder is a service that allows malicious payloads to be attached to legitimate applications. This enables discreet distribution of the malware.
Source:
Bezpośrednie zagrożenie: https://bezposredniezagrozenie.pl/wiadomosci/komputerowe-whatthefuckery-na-sliczne-oczy
The source of the article is from the blog maestropasta.cz