A new variant of Chameleon Android malware has been found in the wild with new features, notable among them the ability to bypass fingerprint locks.

The Chameleon Android banking trojan first entered the scene in early 2023 with a primary focus on mobile banking applications in Australia and Poland but has since expanded into other countries, including the U.K. and Italy. The malware uses multiple loggers but has somewhat limited functionality.

Earlier versions of Chameleon could perform actions on behalf of the victim, with those behind the malware able to undertake account and device takeover attacks. As detailed Dec. 21 by researchers at ThreatFabric, Chameleon has traditionally abused the Android Accessibility Service to steal sensitive information from endpoints and mount overlay attacks.

However, the new version comes with two changes: the ability to bypass biometric prompts and the ability to display an HTML page to enable accessibility service in devices implementing Android 13’s “Restricted Settings” feature. According to the researchers, the enhancements elevate the sophistication and adaptability of the new Chameleon variant, making it a more potent threat in the ever-evolving landscape of mobile banking trojans.

The new Chameleon variant starts by scanning to see if the OS is Android 13 or newer. If it is, the malware then prompts the user to turn on accessibility services, going so far as to guide the user through the process. Once complete, the malware can then perform unauthorized actions on the user’s behalf.

That’s not a particularly unique ability among malware families, but the next part is where it gets interesting: the ability to interrupt biometric operations on the targeted device and bypass fingerprint locks.

The method employs the KeyguardManager application programming interface and AccessibilityEvent, an Android system-level event that provides information about changes in the user interface to assess the screen and keyguard status. Keyguard in Android is a system component responsible for managing device security, such as screen lock and authentication mechanisms.

The malware evaluates the keyguard’s state concerning various locking mechanisms, such as pattern, PIN or password. When specific conditions are met, the malware then utilizes the AccessibilityEvent action to transition from biometric authentication to PIN authentication. This bypasses the biometric prompt, allowing the trojan to unlock the device at will.

The method is said to give those behind the malware two advantages: the ability to facilitate the theft of PINs, passwords or graphical keys through keylogging functionalities by bypassing biometric data, and the ability to unlock devices using previously stolen PINs or passwords.

“The emergence of the new Chameleon banking trojan is another example of the sophisticated and adaptive threat landscape within the Android ecosystem,” the researchers conclude. “Evolving from its earlier iteration, this variant demonstrates increased resilience and advanced new features.”

To avoid being infected, users should use common sense when installing applications, such as not installing apps from dubious unofficial sites and employing security measures such as Play Protect, a security feature on Android devices that scans and verifies apps to prevent the installation of harmful software.

Image: DALL-E 3