Chameleon Android banking trojan was found in the wild by the Cyble Research and Intelligence Labs (CRIL) targeting mobile users to capture SMS messages and maintain persistence.
This malware captures keystrokes, steals browser cookies, and exploits the accessibility service among others.
The Chameleon Android banking trojan was likely named thus for its nature of changing icons of different software including ChatGPT, Bitcoin, Chrome, CoinSpot, etc.
Activities performed by Chameleon Android banking trojan
The Chameleon Android banking trojan sends device data including its version, model, location, etc., to its C&C server.
It then opens the legitimate application, which it would camouflage into, in a WebView. The malware then steals session cookies from the loaded URL.
Details of Chameleon Android banking trojan
Cybercriminals were using hacked websites to deliver the Chameleon Android banking trojan to unsuspecting users.
Chameleon would run the inject()function to check if the application’s package name, that is on its list, was present in the system.
Upon confirming the presence of a legitimate application, it would inject the malware to create an overlay on a legitimate application.
The Android banking trojan was found stealing the device password and downloading additional pages that it would need to perform certain tasks from the C&C server.
The following website URLs were used as mediums for infecting targets –
- hxxps://cdn.discordapp[.]com/attachments/1051452726615216201/1056574187218681936/LTC_GiveAway[.]apk
- hxxps://bitbucket[.]org/leaanner173/3/downloads/ATO.apk
- hxxps://www[.]renatsoft.com[.]br/CoinSpot[.]apk
- hxxps://bitbucket[.]org/emmon11/download/downloads/AdultFriendFinderApp[.]apk
The malicious software was found to have capabilities to prevent itself from being uninstalled besides having auto-uninstallation of itself in specific scenarios.
Analysis of a sample of Chameleon Android banking trojan
The newly found sample of the Android malware was called CoinSpot.apk and it camouflaged as a cryptocurrency application. The legitimate application that was found being targeted by Chameleon was CoinSpot.
- CoinSpot had the SHA-256 hash value of
- Its command and control server was traced to hxxp://146.70.41[.]143:7242/.
- CoinSpots package name was – com.top.omit
- The C&C server for the Chameleon Android banking trojan was – hxxp://146.70.41[.[143:7242/api/v1/bots/a2dee0d3-9c1e-e1aa75fce-88c64b9a9de
- To communicate with the hacker, Chameleon would use the URL pattern of – /task to perform a task, /log to send logs from the device, and /statistic to share accessibility logs.
The Chameleon Android banking trojan would look for rooted devices and perform anti-emulation checks to see if it can easily emulate other apps. It also sends a request on the device to activate the Accessibility Service.
With more system access and accessibility service control, the Chameleon Android banking trojan would self-grant itself permissions, and disable Play Protect.
Developers are speculated to be working on the Chameleon Android banking trojan to increase its capabilities keeping its present activities in mind.
