Chameleon¶
Chameleon is the Android banking trojan that introduced a technique for bypassing biometric authentication prompts to force PIN entry, enabling credential capture through keylogging. Cyble first identified it in early 2023 targeting Australian and Polish users. A significantly upgraded second version, analyzed by ThreatFabric in December 2023, added the biometric bypass alongside the ability to circumvent Android 13's restricted settings protections. By mid-2024, ThreatFabric observed Chameleon expanding into Canada and broader European targeting through campaigns masquerading as CRM applications.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | January 2023 |
| Last Seen | Active (ongoing campaigns as of 2024) |
| Status | Active, under continued development |
| Type | Banking trojan |
| Attribution | Unknown |
| Aliases | Chameleon v1, Chameleon v2 |
Vendor Names¶
| Vendor | Name |
|---|---|
| ThreatFabric | Chameleon |
| Cyble | Chameleon |
| ESET | Android/Spy.Banker.Chameleon |
| Kaspersky | HEUR:Trojan-Banker.AndroidOS.Chameleon |
| Fortinet | Android/Banker.Chameleon |
| Malwarebytes | Android/Trojan.Banker.Chameleon |
| MITRE ATT&CK | S1083 |
Origin and Lineage¶
Chameleon is an independent family with no known code lineage to other established banking trojans. Cyble's initial analysis in April 2023 noted that while the malware used standard banking trojan techniques (overlay injection, keylogging, SMS theft), its codebase did not derive from any leaked source (Cerberus, Anubis, etc.). Cyble assessed it was in early development stages, with several commands stubbed out but not yet functional.
The v2 release in late 2023 represented a substantial capability jump. ThreatFabric's analysis showed a malware that had matured rapidly, adding technically sophisticated features like the biometric bypass and Android 13 restricted settings circumvention.
Distribution¶
Chameleon uses multi-stage delivery chains, with Zombinder playing a key role in the v2 distribution.
| Vector | Details |
|---|---|
| Fake Chrome APKs | Both v1 and v2 samples frequently masquerade as Google Chrome |
| Zombinder DaaS | v2 distributed via Zombinder, a dropper-as-a-service that binds malicious payloads to legitimate apps. ThreatFabric noted Zombinder samples deploying Chameleon alongside Hook. |
| Compromised websites | Lure pages mimicking legitimate download portals |
| Discord attachments | Malicious APKs shared through Discord channels |
| Bitbucket hosting | APKs hosted on Bitbucket repositories for download |
| Fake CRM apps | 2024 campaign used CRM app lures targeting hospitality sector employees |
Zombinder Delivery Chain¶
The v2 delivery via Zombinder follows a two-stage process:
- Victim installs a seemingly legitimate app that has been bound with a Zombinder dropper
- Dropper bypasses Android 13+ restricted settings and deploys Chameleon as a secondary payload
- Chameleon activates and requests accessibility permissions
CRM Campaign (2024)¶
ThreatFabric's July 2024 report documented a campaign targeting employees of an international Canadian restaurant chain. The dropper displayed a fake CRM login page requesting an employee ID, then prompted a "reinstall" that was actually the Chameleon payload. The CRM theme was chosen specifically to target B2C employees likely to have access to corporate banking.
Capabilities¶
Version 1 (January 2023)¶
Cyble documented v1 as functional but still in development:
| Capability | Implementation |
|---|---|
| Overlay attacks | Inject phishing pages over target banking and crypto apps |
| Keylogging | Accessibility service based keystroke capture |
| SMS theft | Intercept and exfiltrate SMS messages for OTP capture |
| Cookie theft | Steal cookies from the device browser |
| Contact harvesting | Exfiltrate device contacts |
| App listing | Enumerate installed packages |
| Self-protection | Disable Google Play Protect, prevent uninstallation |
| Stubbed commands | Several bot commands present in code but not yet implemented |
Version 2 (December 2023)¶
ThreatFabric's v2 analysis revealed two headline features:
| Capability | Implementation |
|---|---|
| Biometric prompt bypass | Forces device to fall back from fingerprint/face unlock to PIN/pattern entry, enabling capture via keylogger |
| Android 13 restricted settings bypass | Displays an HTML page guiding the user to enable accessibility on devices enforcing Android 13's restricted settings |
| Device takeover (DTO) | Full device control via accessibility for on-device fraud |
| Task scheduling | Improved job scheduling for persistent operation |
| Expanded targeting | Added UK and Italian banking apps to overlay targets |
Technical Details¶
Biometric Authentication Bypass¶
Chameleon v2's most significant technique targets the biometric authentication prompt. The implementation:
- Uses the
KeyguardManagerAPI to assess device lock screen status - Monitors
AccessibilityEventdata to detect when a biometric prompt (fingerprint, face) is displayed - Issues an accessibility action to dismiss the biometric prompt
- Device falls back to PIN, pattern, or password authentication
- Keylogger captures the entered PIN/pattern/password
The stolen PIN serves two purposes: it enables the operators to unlock the device at will during remote access sessions, and the credentials themselves are valuable since biometric data cannot be extracted through keylogging but PINs can.
Android 13 Restricted Settings Bypass¶
Android 13 introduced "restricted settings" that block sideloaded apps from requesting accessibility service and notification listener permissions. Chameleon v2 counters this by displaying an HTML instruction page that walks the victim through manually enabling accessibility for the app via Settings, step by step. The page mimics a legitimate system prompt.
Accessibility Abuse¶
Once accessibility is granted, Chameleon v2 operates with the standard banking trojan pattern with several additions:
- Auto-grants additional permissions without user interaction
- Monitors foreground app changes via
TYPE_WINDOW_STATE_CHANGED - Triggers overlay injection for target banking apps
- Captures keystrokes globally, including PIN/pattern entry
- Dismisses biometric prompts to force PIN fallback
- Disables Google Play Protect to prevent detection
- Prevents navigation to app settings to block uninstallation
C2 Communication¶
Chameleon communicates with its C2 over HTTP. The bot:
- Registers with device fingerprint on first launch
- Retrieves target application list and inject URLs
- Polls for commands at regular intervals
- Exfiltrates captured credentials, SMS, and cookies
Anti-Analysis¶
| Technique | Method |
|---|---|
| Emulator detection | Checks device properties and sensor availability |
| Zombinder packing | v2 delivered through DaaS packer to evade static detection |
| Play Protect disabling | Actively disables Google Play Protect on infection |
| Dynamic payloads | Dropper retrieves actual payload post-installation |
Target Regions and Financial Institutions¶
Chameleon's geographic scope expanded with each version iteration.
| Version | Regions | Target Types |
|---|---|---|
| v1 (Jan 2023) | Australia, Poland | Banking apps, cryptocurrency apps (CoinSpot), government agency impersonation |
| v2 (Dec 2023) | Australia, Poland, UK, Italy | European banking apps, expanded crypto targeting |
| CRM campaign (Jul 2024) | Canada, Europe | Hospitality sector corporate banking, B2C employee targeting |
Australian and Polish institutions were the original and most consistent targets. The v2 expansion into the UK and Italy aligned with distribution through Zombinder, which has a broad European operator base.
Notable Campaigns¶
January 2023: Chameleon first observed in the wild, targeting Australian and Polish users. Samples impersonated the CoinSpot cryptocurrency app, Australian government agencies, and the Polish IKO banking app.
April 2023: Cyble published the initial discovery analysis, documenting the malware's capabilities, distribution through compromised websites and Discord, and assessment that it was still in early development.
December 2023: ThreatFabric published the v2 analysis revealing the biometric bypass and Android 13 restricted settings circumvention. Distribution via Zombinder was confirmed, with samples masquerading as Google Chrome. Targeting expanded to UK and Italian banking customers.
July 2024: ThreatFabric reported a new campaign targeting hospitality sector employees in Canada and Europe through fake CRM applications. The campaign used multi-stage droppers that displayed a fake CRM login page before deploying Chameleon. This marked a shift toward targeting corporate banking access rather than individual consumers.