A recently discovered Android banking trojan, known as Chameleon, has been found masquerading as the popular cryptocurrency app CoinSpot. Notably, Chameleon stands out due to the unique commands used by the malware, which do not appear to be associated with any known Trojan families, suggesting it may be a new strain. This malicious software has been operational since January and specifically targets users in Poland and Australia.
Chameleon attack tactics
Besides CoinSpot app, Chameleon pretends to be other popular applications as well, including an Australian government agency and the Polish IKO Bank. Other fake apps were named BCH_Cash (duping as Bitcoin Cash) and LTC_GiveAway (Litcoin).
It is capable of changing its icon to stay hidden from human eyes. For instance, it was found using icons of various software, such as ChatGPT, Chrome, or Bitcoin, to infect Android users.
These malicious applications are spread via compromised websites, Bitbucket hosting services, and Discord attachments. Additionally, attackers used certain URLs to spread the malware.
Its main tactic of stealing user credentials is via injection and keylogging techniques.
Moreover, researchers believe that the trojan is still in its early stages of development and comes with limited capabilities.
Key capabilities
Chameleon comes with usual banking trojan capabilities, such as performing keylogging, harvesting SMSes, launching overlay attacks, stopping itself from being uninstalled, and stealing cookies.
One of the interesting features of this malware is that it can disable Google Play Protect.
Additionally, it is equipped with a lock grabber to steal the device password of victims. The lock grabber can identify if an Android device user is using a PIN, password, or swipe.
Conclusion
Chameleon is another example of capable threats targeting Android devices. Although the current variant is not much sophisticated, it still abuses Accessibility Services that allows attackers to upgrade the malware further for further damages. Therefore, experts suggest staying cautious while opening links received via emails or text messages from unknown senders.