Security researchers at Threat Fabric have discovered a new variant of the Android banking trojan Chameleon. This new variant supports new device takeover capabilities that include the ability to bypass biometric prompts.

Chameleon emerged as a threat in January 2023. It was distributed using various methods to infiltrate Android devices. The initial focus of the banking trojan were users in Poland and Australia.

The trojan targeted banking apps primarily and was distributed through phishing websites by disguising itself as legitimate applications. In Poland, Chameleon disguised itself as legitimate banking apps while it claimed to be an official app of the Taxation Office in Australia.

The new variant of Chameleon takes things a step further. Besides targeting Android users in the United Kingdom and Italy as well, it is equipped with new capabilities that make it even more dangerous.

Threat Fabric explains that the new variant likes to disguise it as Google Chrome, the world's most popular web browser. The variant supports two new capabilities.

The first, HTML Prompt to Enable Accessibility Service, responds dynamically to Android 13 devices with applied restrictions on applications. It displays an HMTL page to users in this case that prompts them to enable Accessibility services. The step is of utmost importance, as Chameleon relies on the Accessibility service to run its device takeover attacks.

The researchers explain: "Upon receiving confirmation of Android 13 Restricted Settings being present on the infected device, the banking trojan initiates the loading of an HTML page. The page is guiding users through a manual step-by-step process to enable the Accessibility Service on Android 13 and higher. The visual representation below provides an overview of the new Chameleon variant's adaptation in response to the Android 13 environment."

The second major feature of the new Chameleon variant is its ability to interrupt biometric operations on infected devices. The core idea behind this feature is to switch from biometric authentication, for instance via a fingerprint, to Pin-based authentication.

This allows the trojan to capture the user's PIN, password or pattern. These may then be used by the trojan to unlock device.

Another improved feature uses Task Scheduling using the AlarmManager API. The trojan implements a dynamic approach again. In essence, it enables the trojan to determine the foreground app. It needs the information to determine whether it will display overlays and inject activity.

The researchers note that attacks rely on the distribution of Android APK files through third-party sources. There is clearly no need to download Google Chrome or other important applications from a third-party source.

The new trojan may target specific regions primarily, but it is clear that operations will expand to other regions in the future.

Now You: do you download and install APK files from third-party sources?