Cybersecurity researchers have recently discovered a new malware for Android that successfully mimics different kinds of mobile applications - from banking apps, to crypto exchange apps, to government apps.
Chameleon was discovered by researchers from Cyble, who observed hackers distributing the malware through compromised websites, Discord channels, and Bitbucket hosting services.
The tool sports a number of different functionalities, all of which amount to information stealing.
Profiling the target
Once downloaded, the malware will first analyze the device to see if it’s in a honeypot. It will scan the phone to see if it’s rooted and if debugging is activated, as these are usual signals of an analyst’s environment. Once that test is passed, it will ask for Accessibility Service permissions - which is a huge red flag. It’s usually malware that asks for this kind of permission as they allow it to run rampant across the endpoint.
The next step is to establish a connection with its Command & Control (C2) server, and send the basic device information: version, model, root status, country, and precise location. After that, it will start loading different malicious modules to the device, including a cookie stealer, a keylogger, a phishing pages injector, a grabber for PIN codes and patterns, and an SMS stealer. These modules allow the malware to grab passwords and multi-factor authentication codes which can later be used for identity theft.
While all of this might sound like much, researchers are adding that Chameleon is an emerging threat, and as such is likely to get additional features in the comping weeks.
To stay safe, Android users should first make sure not to download apps from suspicious sources and instead grab apps only from official stores. Furthermore, they should enable Google Play Protect, as the first line of defense. An Android antivirus program wouldn’t hurt, either.
- Here are the best firewalls today
Via: BleepingComputer