Tuesday December 03, 2024

Advisory ID: ngCERT-2024-0003

Summary: 

Chameleon, a rapidly evolving Android banking Trojans, has been discovered to be targeting Android users globally. The new Android malware type has the potential to bypass any biometric authentication, steal sensitive information such as login credentials and credit card information, and conduct fraudulent operations via banking applications. Chameleon's ability to disable biometric security measures such as fingerprint and facial unlock makes it more dangerous, with disastrous consequences for Android banking users. This highlights the importance for Android phone owners to take the required precautions to mitigate the aforementioned threat. 

Damage/Probability: CRTICAL/HIGH

Description: 

Chameleon trojan was found to enable attackers to carry out Account Takeover (ATO) and Device Takeover (DTO) attacks, mostly targeting banking and cryptocurrency apps. The malware is distributed through phishing pages, disguised as legitimate applications/programs and delivered via a legitimate content distribution network (CDN). The new variant is distributed using Zombinder, a dropper-as-a-service (DaaS) used in attacks against Android users. The trojan performs device-specific checks, which are activated when a command is received from the command-and-control (C&C) server, while targeting the 'Restricted Settings' protections added in Android 13. Upon receiving the command, the Trojan presents an HTML page requesting that the user enable the Accessibility service, which allows the malware to perform DTO. After receiving further commands, the malware assesses the device's screen and keyguard status and then uses the Accessibility Event action to bypass biometric authentication while transitioning to PIN authentication. This fall back to standard facilitates theft of PINs, passwords, or graphical keys using keylogging functionalities, by threat actors. The revised Chameleon edition also includes job scheduling using the AlarmManager API, which was seen in other banking trojans but done differently. If the Accessibility option is not enabled, the trojan can move to gathering information about user programs in order to identify the foreground application and display overlays via the 'Injection' activity.  

Consequences: 

A successful execution of Chameleon banking trojan could result to the following:

  • Financial losses from unauthorized transactions.
  • Data exfiltration.
  • Damage to reputation.
  • Privacy breaches.
  • Disruption of critical financial operations.
  • Privilege escalation on devices. 

Solution: 

It is therefore recommended that android phone users should:

  • Avoid clicking links on emails or text messages, even from seemingly legitimate sources.
  • Ensure that their Android devices and apps are up to date with the latest security patches.
  • Only download apps from the official Google Play Store.
  • Avoid using public Wi-Fi networks for sensitive banking activities.
  • Report suspicious activities to your bank immediately.
  • Be mindful of social engineering and phishing tactics deployed by cybercriminals.
  • Implement mobile device management (MDM) solutions to enforce security policies and remotely manage devices.
  • Ensure that Play Protect is enabled at all times.
  • Run regular scans to ensure that devices are free of malware and adware. 

References: