In a concerning development, cybersecurity researchers have identified an updated version of the Android banking malware known as Chameleon, which has broadened its scope to include users in the U.K. and Italy. The evolved Chameleon variant, described as a restructured and enhanced iteration of its predecessor, excels in executing Device Takeover (DTO) using Android’s accessibility service while extending its targeted region.

Previously documented by Cyble in April 2023, Chameleon initially focused on users in Australia and Poland. Like typical banking malware, Chameleon exploits Android’s accessibility service to harvest sensitive data and execute overlay attacks, a tactic that involves displaying fake interfaces on top of legitimate apps.

The latest research from Dutch mobile security firm ThreatFabric reveals that Chameleon is now delivered via Zombinder, an off-the-shelf dropper-as-a-service (DaaS) utilized by threat actors. This service allows malicious payloads to be bound to legitimate apps. Despite suspicions of Zombinder’s shutdown earlier in the year, it re-emerged last month, advertising capabilities to bypass Android’s ‘Restricted Settings’ feature and install malware while gaining access to the accessibility service.

The malicious artifacts distributing Chameleon present themselves as the Google Chrome web browser, using package names:

1. Z72645c414ce232f45.Z35aad4dde2ff09b48
2. com.busy.lady

Notably, the enhanced variant introduces the ability to conduct Device Takeover (DTO) fraud. To trick users into enabling settings, the malware checks the Android version, prompting users with Android 13 or later to turn on accessibility services.

A new addition involves using Android APIs to disrupt biometric operations, transitioning the lock screen authentication mechanism to a PIN covertly. This allows the malware to unlock the device at will using the accessibility service.

This evolution of the Chameleon banking trojan underscores the sophisticated and adaptive nature of threats within the Android ecosystem. With increased resilience and advanced features, this variant poses a significant challenge to cybersecurity efforts.

The discovery aligns with Zimperium’s recent revelation that 29 malware families, including 10 new ones, targeted 1,800 banking applications across 61 countries over the past year. The U.S., the U.K., and Italy are among the top countries targeted, emphasizing the global impact of these evolving threats. Traditional banking applications remain the primary target, comprising 61% of the total, while emerging FinTech and Trading apps make up the remaining 39%, indicating a broadening focus within the threat landscape.