Android Malware That Is Capable of Eschewing Biometric Security
 |
| Android malware |
A new bypass function and a wider target range are included in the Chameleon Android banking trojan variant.
Online fraud detection company ThreatFabric warns that a new version of the Chameleon Android banking malware has increased its targeting area and added new bypass capabilities.
The malware, which has been active since early 2023, was first detected affecting mobile banking applications in Poland and Australia. However, it has now spread to the UK and Italy.
ThreatFabric notes that when Chameleon was first discovered, it was still in the early stages of development because it was using numerous loggers, had limited malicious capabilities, and had a number of unused instructions.
By exploiting a proxy function and abusing Accessibility Services, it might serve as the victim's representative, enabling attackers to take control of an account. (ATO) and Device Takeover (DTO) assaults, which mostly target bitcoin and banking apps.
Phishing websites, phony programs, and the use of a genuine content distribution network (CDN) for file sharing were all used to spread the infection.
ThreatFabric has discovered a newer version of the Chameleon virus that packs more sophisticated features while maintaining the same traits and method of operation as its predecessor.
The new samples are being disseminated using the dropper-as-a-service (DaaS) Zombinder, which is employed in assaults against Android users.
According to ThreatFabric, the detected Zombinder samples employ a complex two-step payload procedure that installs both Chameleon and the Hook malware family.
The latest Chameleon version has several significant features, one of which is a device-specific check that is triggered upon receiving a command from the command-and-control (C&C) server and targets the 'Restricted Android 13 introduced settings safeguards.
The Trojan shows an HTML page asking the victim to enable the Accessibility service after it receives the instruction. The page walks the user through manually enabling the service step-by-step, allowing the virus to ultimately carry out DTO.
The latest Chameleon variation also has a new function that may be enabled with a specific command to stop the victim's device's biometric operations.
The virus "utilizes the AccessibilityEvent action to transition from biometric authentication to PIN authentication," so avoiding the biometric prompt, after evaluating the device's screen and keyguard state upon getting the order.
Underworld actors benefit from forcing a fallback to'standard' authentication in two ways. Initially, it makes it easier for passwords, PINs, or graphical keys to be stolen by keylogging features, while these threat actors are still unable to obtain biometric data. According to ThreatFabric, "Secondly, by utilizing this fallback, those same actors can unlock devices with previously stolen PINs or passwords."
The most recent version of the Chameleon variant also adds job scheduling through the AlarmManager API, a feature seen in other banking trojans with a different implementation. The malware may utilise the 'Injection' activity to gather data on user apps in order to determine which program is running in the background and display overlays if the accessibility option is not activated.
0 Comments