Victims are still trying to delete the Chameleon Android trojan from their devices, but with no success.
Since the beginning of the year, this new malware has been causing concern among users in Australia and Poland, as it masquerades as popular apps such as the Australian crypto exchange CoinSpot, an Australian federal agency, and the Polish bank IKO. The security firm Cyble has identified hacked websites, Discord files, and Bitbucket hosting services as the channels used to deploy the Chameleon mobile infection. Once the malware is installed, it becomes difficult to detect and remove, making it a significant threat to user data.
The Chameleon Trojan has several dangerous features, including the ability to steal cookies and SMS texts, as well as user data through overlay injections and keylogging. The malware also runs several tests when it is started to avoid detection by the protection program. These tests determine whether a sandbox environment is present, whether the gadget is rooted, and whether debugging is enabled in the developer’s settings. Attackers can use these indicators to determine if the Trojan is on a device belonging to a common user or a security researcher.
If Chameleon is able to invade the environment, it requests access to use a special features service, which it then abuses to obtain more privileges and make it more difficult to remove from the victim’s device. To avoid detection of subsequent payloads, the malware also requires that Google Play Protect be turned off.
While the malware currently does not utilize the code that enables it to install additional payloads and save them to the gadget as “.jar” files for later execution via DexClassLoader, experts warn that Chameleon may develop more advanced features and capabilities in the future.
Android users are urged to use caution when selecting and installing apps. To reduce the risk of malware infection, always use Google Play Protect and only install apps from authorized retailers.