Chameleon Android Malware: Mimicking Legitimate Apps to Steal User Data

Chameleon Android Malware is a type of mobile malware that has been targeting Android users in Australia and Poland since the beginning of 2023, discovered by Cyble.

The malware has been designed to mimic legitimate entities such as CoinSpot cryptocurrency exchange, an Australian government agency, and the IKO bank to trick users into downloading and installing it on their devices.

Once installed, the Chameleon malware can steal sensitive user data, such as login credentials, SMS texts, and one-time passwords. The malware can also bypass 2FA protections, compromise the victim’s device, and harm organizations that use Android devices for their operations.

Distribution of Chameleon Android Malware

Chameleon has been distributed through compromised websites, Discord attachments, and Bitbucket hosting services.

Upon launch, the malware performs a variety of checks to evade detection by security software, including anti-emulation checks to detect if the device is rooted and debugging is activated.

Abusive Behavior and Malicious Functionality

If the environment appears clean, the infection continues, and Chameleon requests the victim to permit it to use the Accessibility Service, which it abuses to grant itself additional permissions, disable Google Play Protect, and stop the user from uninstalling it.

Chameleon includes a wide range of malicious functionality, including stealing user credentials through overlay injections and keylogging, cookies, and SMS texts from the infected device.

The malware can open its legitimate URL in a WebView and starts loading malicious modules in the background, including a cookie stealer, a keylogger, an injector of phishing pages, a lock screen PIN/pattern grabber, and an SMS stealer that can snatch one-time passwords and help attackers bypass 2FA protections.

Detecting Chameleon Android Malware

Most of these data-stealing systems rely on the abuse of Accessibility Services to work as required, allowing the malware to monitor the screen content, monitor for specific events, intervene to modify interface elements, or send certain API calls as needed.

The same system service is also abused to prevent the uninstallation of the malware by identifying when the victim attempts to remove the malicious app and deleting its shared preference variables to make it appear as if it’s no longer present on the device.

Chameleon can download a payload during runtime and save it on the host as a “.jar” file, to be executed later via DexClassLoader. However, this feature is currently unused.

Android Users Advised to Stay Cautious

Chameleon is an emerging threat that may add more features and capabilities in future versions.

Android users are advised to be cautious with apps they install on their devices, only download software from official stores, and ensure that Google Play Protect is always enabled.

Chameleon Android malware is a serious threat to Android users and organizations as it has been designed to steal sensitive user data, such as login credentials, SMS texts, and one-time passwords. The malware can bypass 2FA protections and compromise the victim’s device, leading to significant financial losses and damage to reputation.

The malware can also harm organizations that use Android devices for their operations, as it can infect multiple devices, steal sensitive data, and compromise their networks. Organizations can lose significant amounts of money due to data theft, intellectual property theft, and downtime.

Chameleon Android Malware Preventive Measures

To prevent Chameleon malware infection, Android users and organizations must take proactive measures to protect their devices and networks.

Some of the preventive measures that can be taken include:

1. Only download apps from official app stores like Google Play Store, and avoid downloading apps from third-party app stores or websites.
2. Keep the Android operating system and all apps up to date with the latest security patches.
3. Enable Google Play Protect, which provides built-in malware protection for Android devices.
4. Install reputable antivirus software on all Android devices.
5. Avoid clicking on suspicious links or attachments in emails, text messages, or social media messages.
6. Educate employees on the dangers of malware and how to identify and report suspicious activities.

Chameleon Android malware is a significant threat to Android users and organizations, and it is important to take proactive measures to protect devices and networks.

Users and organizations should avoid downloading apps from third-party sources, keep their Android devices and software up to date, and enable built-in security features like Google Play Protect.

By staying vigilant and taking proactive measures, users and organizations can reduce the risk of malware infection and protect their sensitive data.