Android Banking Trojan Chameleon Now Bypasses Biometric Authentication

A dangerous new variant of the Android banking malware Chameleon re-emerged with the ability to take over devices and bypass biometric measures to steal passwords and PINs.

Discovered by security researchers at ThreatFabric, the trojan now targets Android users in Italy and the UK. The previous version, identified in April 2023, was known to target users in Australia by disguising itself as the Australian Taxation Office (ATO) and popular banking apps in Poland.

“Representing a restructured and enhanced iteration of its predecessor, this evolved Chameleon variant excels in executing Device Takeover (DTO) using the accessibility service, all while expanding its targeted region,” the company said.

Disguised as a Google Chrome app, the new variant is distributed via the Zombinder app-sharing service. Sold on the dark web, the dropper-as-a-service (DaaS) is used to attach malware to legitimate apps.

The current version has two distinct features. One, displaying a HTML page that guides users to enable Accessibility Services in Android devices, having the “Restricted Settings” feature of Android 13.

This security feature is meant to block the approval of dangerous permissions that helps hackers deploy Account and Device takeover attacks, grant itself permission, and steal files and data.

Second, by using the Accessibility service the malware can bypass any biometric prompt like face and fingerprint unlock and force the device to return to pattern, PIN, or password authentication. By doing this, the threat actor can later unlock the device at will and perform any malicious activity.

In addition to the above features, the new Chameleon variant also has the capability to schedule tasks using the AlarmManager API. The API helps you define, run, and manage any activity.

“The emergence of the new Chameleon banking trojan is another example of the sophisticated and adaptive threat landscape within the Android ecosystem,” ThreatFabric said. “Evolving from its earlier iteration, this variant demonstrates increased resilience and advanced new features.”