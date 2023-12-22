Its name may sound familiar to you: Chameleon. This is a malware that specialists had already warned about, but now it has come back hitting hard with a new infection system. It is considered a Trojan that sneaks into users' terminals to take control of their bank accounts, so it is one of the most dangerous viruses that we can face.

Very dangerous malware

At the first moment in which this malware did its thing, it tried to camouflage itself in different ways that, initially, gave it a high rate of infections. Thus, he posed as the CoinSpot cryptocurrency exchange and also impersonated agencies corresponding to the Australian government. In other cases, it was discovered that the virus was trying to infect devices by taking the identity of different banks.

Its objective was to carry out attacks on mobile phones that would result in cybercriminals taking control of the mobile phone and, especially, the users' bank accounts. To do this, they applied keylogging techniques, stole internal keys, accessed cookie records and also took possession of the circulation of SMS messages to be able to intercept bank keys. However, security experts acted and managed to stop Chameleon's expansion.

Come back with a new technique

That has now changed with their new incarnation where they have found a way to re-infect devices without being caught in the process. However, the effort carried out by the ThreatFabric team has been more than enough to uncover the whole cake and bring to the fore the type of threat Chameleon currently represents.

They say they have discovered that Chameleon is using the Zombinder service to make users think they are safely using a version of Google Chrome when, in reality, they are having their devices infected. The problem is that it is true that, using this tool, the malware hides in an almost perfect way. That's when it starts to carry out your attack strategy, which consists of loading an HTML page in which users are asked to accept so that the accessibility service can be used. This occurs on phones that have the Android 13 operating system or a higher version.

This is when the user gets into trouble, as Chameleon's next step is to use the accessibility system to disconnect main security measures. This is how they disconnect fingerprint reading and also facial recognition. Not only that, but malware has the ability to store all PINs entered on the keyboard, so once it starts storing keys there is nothing that can stop criminals.

Finally, they also report that the malware has the ability to use the AlarmManager API at will and optimize its infection and attack process depending on the use of the device. This represents a significant leap in the way malware acts behind users' backs, so it is recommended to be very careful not to fall victim to the infection. To avoid having problems, experts once again emphasize, as usual, that we do not install anything from sources that are not guaranteed, that we be careful with APKs and that we do not use services like Zombinder that are doomed to be plagued by viruses . They also recommend making sure Play Protect is activated.

What we are seeing is that, although Google is strengthening Android security in style and doing everything possible to avoid incidents, hackers and criminals find a way to continue carrying out your infection plans. Therefore, you must always remain alert and avoid any possible exposure to these types of risks.