The Chameleon banking trojan is a malicious software that targets Android devices and steals banking credentials, personal data, and other sensitive information from unsuspecting users. The trojan has recently evolved to bypass biometric authentication methods, such as fingerprint and face recognition, making it more dangerous and difficult to detect.
The Threat of Chameleon Android Banking Trojan
The Chameleon banking trojan was first discovered in 2019 by security researchers at ThreatFabric. The trojan belongs to the Hydra malware family, which is known for its sophisticated techniques and frequent updates. The trojan disguises itself as a legitimate app, such as a game, a utility, or a social media app, and tricks users into granting it various permissions, such as accessibility, overlay, and device administrator.
Evolution of Chameleon Trojan
Since its inception, the Chameleon banking trojan has undergone several changes and improvements to evade detection and enhance its capabilities. Some of the notable features of the trojan include:
- Dynamic configuration: The trojan can download and execute commands from a remote server, allowing it to adapt to different targets and scenarios.
- Obfuscation and encryption: The trojan uses various techniques to hide its malicious code and data, such as string encryption, code injection, and native libraries.
- Anti-analysis and anti-emulation: The trojan can detect and prevent analysis and emulation tools, such as debuggers, root checkers, and virtual machines, from running on the infected device.
- Anti-uninstall: The trojan can prevent users from uninstalling it by hiding its icon, blocking the settings app, and abusing the device administrator privilege.
Previous Capabilities
The main goal of the Chameleon banking trojan is to steal banking credentials and other sensitive information from users. The trojan can achieve this by:
- Overlay attacks: The trojan can display fake login screens on top of legitimate banking apps, and capture the user’s input, such as username, password, and PIN.
- Keylogging: The trojan can record the user’s keystrokes and send them to a remote server, allowing it to capture any information typed by the user, such as credit card numbers, email addresses, and passwords.
- SMS interception: The trojan can read and delete incoming SMS messages, and send SMS messages to premium numbers, allowing it to bypass two-factor authentication and generate revenue for the attackers.
- Screen recording: The trojan can record the user’s screen activity and send it to a remote server, allowing it to capture any information displayed on the screen, such as account balances, transaction details, and personal data.
Unveiling the Enhanced Chameleon Variant
In 2023, security researchers at Kaspersky Lab discovered a new variant of the Chameleon banking trojan, which has added new features and capabilities to its arsenal. The most notable feature of the new variant is its ability to bypass biometric authentication methods, such as fingerprint and face recognition, which are widely used by banking apps and other services to secure user accounts.
New Features
The new variant of the Chameleon banking trojan has introduced the following features to enhance its functionality and stealth:
- RAT functionality: The trojan can act as a remote access tool (RAT), allowing the attackers to take full control of the infected device, and perform actions such as opening apps, clicking buttons, and typing text.
- Notification manipulation: The trojan can manipulate the notifications displayed by the device, such as hiding, modifying, or creating fake notifications, to lure users into opening malicious apps or granting permissions.
- Screen lock bypass: The trojan can bypass the screen lock of the device, such as PIN, pattern, or password, by using the accessibility service to simulate user input.
Disruption of Biometric Authentication
The most dangerous feature of the new variant of the Chameleon banking trojan is its ability to disrupt biometric authentication methods, such as fingerprint and face recognition, which are widely used by banking apps and other services to secure user accounts. The trojan can achieve this by:
- Fingerprint spoofing: The trojan can spoof the fingerprint sensor of the device, and send a fake fingerprint image to the system, allowing it to unlock the device or authenticate transactions without the user’s consent.
- Face recognition bypass: The trojan can bypass the face recognition feature of the device, by using the RAT functionality to open the front camera, and display a photo or a video of the user’s face, tricking the system into unlocking the device or authenticating transactions without the user’s consent.
The Impact of the Modified Chameleon Variant
The modified Chameleon banking trojan poses a serious threat to the security and privacy of Android users, as it can bypass biometric authentication methods, which are considered more secure and convenient than traditional methods, such as passwords and PINs. The impact of the modified Chameleon variant can be summarized as follows:
- Increased risk of fraud and theft: The modified Chameleon banking trojan can steal banking credentials and other sensitive information from users, and use them to perform fraudulent transactions, such as transferring money, paying bills, or buying goods and services, without the user’s knowledge or consent.
- Vulnerable Android devices: The modified Chameleon banking trojan can infect any Android device running on Android 6.0 or higher, which accounts for more than 90% of the Android market share. The trojan can exploit various vulnerabilities and loopholes in the Android system, such as the accessibility service, the overlay feature, and the biometric framework, to gain access and control over the device.
