{
	"id": "08a738ec-4916-4254-b600-6d5da18cd561",
	"created_at": "2026-04-06T00:21:40.540828Z",
	"updated_at": "2026-04-10T13:12:00.363459Z",
	"deleted_at": null,
	"sha1_hash": "07e45289ce927639ea63bd42834a9d0c309cf34c",
	"title": "Android Banking Trojan Chameleon can now bypass any Biometric Authentication",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 510975,
	"plain_text": "Android Banking Trojan Chameleon can now bypass any Biometric\r\nAuthentication\r\nPublished: 2024-10-01 · Archived: 2026-04-02 11:04:41 UTC\r\nIntroduction\r\nIn January 2023, the Chameleon Banking Trojan emerged as a significant threat, employing various distribution methods to\r\ninfiltrate the Android ecosystem, with a specific focus on users in Australia and Poland. Aptly named \"Chameleon,\" this\r\nTrojan showcases its adaptability through multiple new commands, including the examination of app package names. Its\r\nprimary targets are mobile banking applications, with distribution through phishing pages disguising itself as a legitimate\r\napp.\r\nIn line with our earlier research (see also our SecuriDropper blog), during this investigation we were able to track and\r\nanalyze samples related to the updated Zombinder.\r\nThese Zombinder samples utilize a sophisticated two-staged payload process. They employ the SESSION_API through\r\nPackageInstaller, deploying the Chameleon samples along with the Hook malware family.\r\nThis article takes a deep dive into the newly discovered Chameleon malware variant, distributed via Zombinder.\r\nRepresenting a restructured and enhanced iteration of its predecessor, this evolved Chameleon variant excels in executing\r\nDevice Takeover (DTO) using the Accessibility Service, all while expanding its targeted region. Our research showcases the\r\nnew advanced features and capabilities embedded in its malicious payload, highlighting the evolution of this mobile threat.\r\nFirst seen in the wild in early 2023, the Chameleon banking trojan was discovered during its initial development phase.\r\nMarked by the use of various loggers, limited malicious functionalities, and well-defined but unused commands, it hinted at\r\na clear potential for further evolution and impact.\r\nThis banking trojan displayed a distinctive capability to manipulate a victim's device, executing actions on the victim's\r\nbehalf through a proxy feature. This feature enables advanced maneuvers like Account Takeover (ATO) and Device\r\nTakeover (DTO) attacks, particularly targeting banking applications and cryptocurrency services. These functionalities\r\nrelied on the abuse of Accessibility Service privileges.\r\nThe earlier variant of the Chameleon banking trojan also employed a diverse set of distribution methods, with a preference\r\nfor disguising itself as legitimate applications through phishing pages and using a legitimate Content Distribution Network\r\n(CDN) for file distribution.\r\nNotably, it predominantly targeted Australia and Poland, where it disguises itself as institutions like the Australian Taxation\r\nOffice (ATO) and popular banking apps in Poland.\r\nThis targeted strategy raises substantial concerns for banks and other financial institutions in these regions. The trojan's\r\nadeptness at impersonating trusted apps enhances its potential for widespread impact, underscoring the significance of its\r\nthreat to the mobile security landscape.\r\nhttps://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action\r\nPage 1 of 6\n\nUnveiling the Enhanced Chameleon Variant\r\nAs predicted by ThreatFabric's earlier research, after the initial work-in-progress versions, a refined iteration of the\r\nChameleon banking trojan has emerged, carrying over characteristics from its predecessor. This new variant has also\r\nexpanded its target region to include Android users in the United Kingdom (UK) and Italy.\r\nThis newly discovered variant continues its malicious pursuits, including the Device Takeover (DTO) capability through the\r\nAccessibility Service. Distributed through Zombinder, samples of this new variant exhibit a consistent modus operandi\r\nwhile introducing advanced features. Notably, they are often distributed by posing as Google Chrome apps.\r\nNew Features of the Modified Chameleon Variant\r\nTwo new features stand out in the updated Chameleon variant: The ability to bypass biometric prompts, and the ability to\r\ndisplay an HTML page for enabling accessibility service in devices implementing Android 13's \"Restricted Settings\" feature.\r\nhttps://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action\r\nPage 2 of 6\n\nThese enhancements elevate the sophistication and adaptability of the new Chameleon variant, making it a more potent\r\nthreat in the ever-evolving landscape of mobile banking trojans.\r\nIn the next sections, we will take a closer look at the intricacies of the new Chameleon banking trojan, unraveling its\r\ncapabilities, tactics, and the potential risks it poses to the cybersecurity landscape.\r\n1. Android 13: HTML Prompt to Enable Accessibility Service\r\nAmongst the features of the new Chameleon variant, one feature in particular stands out: This feature involves a device-specific check activated upon the receipt of the command \"android_13\" from the Command and Control (C2) server.\r\nFor instance, when the resurfaced Chameleon variant detects installation on an Android 13-based device with applied\r\nrestrictions on applications, it responds dynamically. The malware displays an HTML page, prompting users to enable the\r\nAccessibility service. This step is crucial for the Chameleon malware family, as it relies on this service for the successful\r\nexecution of Device Takeover (DTO) attacks.\r\nThe following code snippet outlines the method employed by the malware to check the restricted settings status of the\r\ninfected device:\r\nif (!class.devicebuild() \u0026\u0026 (class2.commandlist(\"android_13\", Boolean.valueOf(true)) \u0026\u0026 Build.VERSION.SDK_INT \u003e= 33 \u0026\u0026 !c\r\n this.startActivity(new Intent(this, class0).putExtra(\"action\", \"restriction\"));\r\n }\r\nUpon receiving confirmation of Android 13 Restricted Settings being present on the infected device, the banking trojan\r\ninitiates the loading of an HTML page. The page is guiding users through a manual step-by-step process to enable the\r\nAccessibility Service on Android 13 and higher. The visual representation below provides an overview of the new\r\nChameleon variant's adaptation in response to the Android 13 environment.\r\nThis new functionality demonstrates once again how underground actors respond to and continuously seek to bypass the\r\nlatest security measures designed to thwart their efforts.\r\nChameleon is an example of a trend where threat actors adapt droppers and integrate Android 13 restriction checks in\r\nmalware to bypass security measures.\r\nhttps://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action\r\nPage 3 of 6\n\n2. Disrupting Biometric Operations\r\nThe new Chameleon variant introduces a feature aimed at interrupting the biometric operations of the targeted device. This\r\nfeature is enabled by issuing the command \"interrupt_biometric\". Upon receiving this command, the malware executes the\r\n\"InterruptBiometric\" method.\r\nThis method employs the KeyguardManager API and AccessibilityEvent to assess the screen and keyguard status. It\r\nevaluates the keyguard's state concerning various locking mechanisms, such as pattern, PIN, or password. Upon meeting the\r\nspecified conditions, the malware utilizes the AccessibilityEvent action to transition from biometric authentication to PIN\r\nauthentication. This bypasses the biometric prompt, allowing the trojan to unlock the device at will.\r\nForcing a fallback to 'standard' authentication provides underground actors with two advantages. Firstly, it facilitates the\r\ntheft of PINs, passwords, or graphical keys through keylogging functionalities, because biometric data remains inaccessible\r\nto these threat actors.\r\nSecondly, leveraging this fallback enables those same actors to unlock devices using previously stolen PINs or passwords.\r\nThis is achieved through Accessibility actions.\r\nSo although the victim's biometric data remains out of reach for actors, they force the device to fall back to PIN\r\nauthentication, thereby bypassing biometric protection entirely.\r\nThe following code snippet shows the malware evaluating the KeyGuard state:\r\npublic final void interruptBiometric(AccessibilityEvent accessibilityEvent0) {\r\n if (accessibilityEvent0.getPackageName() != null) {\r\n if (bCBFNOgmB2372b7065b5f58f8f9f.screenstatus != 1 \u0026\u0026 (KeyguardManager != null \u0026\u0026 (KeyguardManager.isKeyguardS\r\n if (getInstance.findViewByContainsID(getInstance.getRootInActiveWindow(), \"lockPatternView\") != null) {\r\n return;\r\n }\r\n if (getInstance.findViewByContainsID(getInstance.getRootInActiveWindow(), \"pinEntry\") != null) {\r\n return;\r\n }\r\n if (getInstance.findViewByContainsID(getInstance.getRootInActiveWindow(), \"passwordEntry\") != null) {\r\n return;\r\nhttps://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action\r\nPage 4 of 6\n\n}\r\n }\r\nThis functionality to effectively bypass biometric security measures is a concerning development in the landscape of mobile\r\nmalware.\r\n3. Task Scheduling \u0026 Activity Control\r\nIn addition to the features discussed earlier, the updated Chameleon variant introduces a capability also found in many\r\nbanking other trojans: task scheduling using the AlarmManager API, a feature not present in its earlier \"work-in-progress\"\r\nvariant.\r\nWhile task scheduling is common among trojans, what sets this implementation apart is its dynamic approach, efficiently\r\nhandling accessibility and activity launches in line with standard trojan behaviour.\r\nThe updated Chameleon version supports a new command, \"inejction_type\" [sic]. This command brings a unique element\r\nto the trojan's task-scheduling mechanism. It automatically switches from \"a11y\" (a11y is shorthand for accessibility) to\r\n\"usagestats\" upon receiving a specific command, depending on whether accessibility is disabled or not. If it is enabled, the\r\nmalware launches overlay attacks through the \"Injection\" activity.\r\nIf the accessibility service is disabled, the malware seamlessly switches from \"a11y\" to \"usagestats\", collecting information\r\non user app usage on Android devices with Android 23 or higher. This data, including the foreground app, provides an\r\nalternative method for determining the foreground application and deciding whether to initiate overlay or injection activity.\r\npublic final void run() {\r\n ((AlarmManager) class.this.getApplicationContext().getSystemService(\"alarm\")).set(0, System.currentTimeMillis() +\r\n if (!class.accessibility_enabled(class2.class) || (class.list(\"inejction_type\", \"a11y\").equals(\"usagestats\"))) {\r\n if (class.usage_stats()) {\r\n String s = class.this.currentActivity();\r\n if ((class.commandlist(\"injection\", Boolean.TRUE)) \u0026\u0026 (class.config(s)) \u0026\u0026 !false) {\r\n new Handler(Looper.getMainLooper()).post(new Runnable() {\r\n @Override public final void run() {\r\n ActivityThread.startActivity(new Intent(ActivityThread, class2.class).putExtra(\"app\",\r\n }\r\nConclusion\r\nThe emergence of the new Chameleon banking trojan is another example of the sophisticated and adaptive threat landscape\r\nwithin the Android ecosystem. Evolving from its earlier iteration, this variant demonstrates increased resilience and\r\nadvanced new features. With an expanded focus on users in the UK and Italy, the Trojan employs multiple distribution\r\nmethods, including deployment via Zombinder and masquerading as legitimate applications such as the Chrome app.\r\nNoteworthy is the trojan's new features, such as HTML pages for Android 13 device evaluations and the disruption of\r\nbiometric operations, both of which demonstrate its adaptive capabilities. The manipulation of accessibility settings and\r\ndynamic activity launches further underscore that the new Chameleon is a sophisticated Android malware strain.\r\nIn an ever-evolving threat landscape, understanding the intricacies of the new Chameleon variant is important in formulating\r\neffective defensive strategies. ThreatFabric remains committed to unveiling the subtleties of such threats, providing insights\r\nthat empower users and security professionals to safeguard their digital domains. As threat actors continue to evolve, this\r\ndynamic and vigilant approach proves essential in the ongoing battle against sophisticated cyber threats.\r\nFraud Risk Suite\r\nhttps://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action\r\nPage 5 of 6\n\nThreatFabric’s Fraud Risk Suite enables safe \u0026 frictionless online customer journeys by integrating industry-leading mobile\r\nthreat intel, behavioural analytics, advanced device fingerprinting, and over 10,000 adaptive fraud indicators. This will give\r\nyou and your customers peace of mind in an age of ever-changing fraud.\r\nAppendix\r\nIndicators of compromise\r\nNew Variant of Chameleon Samples\r\nHASH (SHA256)\r\nAPP\r\nNAME\r\nPACKAGE NAME\r\n2211c48a4ace970e0a9b3da75ac246bd9abaaaf4f0806ec32401589856ea2434 Chrome Z72645c414ce232f45.Z35aad4dde2ff09\r\n0a6ffd4163cd96d7d262be5ae7fa5cfc3affbea822d122c0803379d78431e5f6 Chrome com.busy.lady\r\nSource: https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action\r\nhttps://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action"
	],
	"report_names": [
		"android-banking-trojan-chameleon-is-back-in-action"
	],
	"threat_actors": [],
	"ts_created_at": 1775434900,
	"ts_updated_at": 1775826720,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/07e45289ce927639ea63bd42834a9d0c309cf34c.pdf",
		"text": "https://archive.orkl.eu/07e45289ce927639ea63bd42834a9d0c309cf34c.txt",
		"img": "https://archive.orkl.eu/07e45289ce927639ea63bd42834a9d0c309cf34c.jpg"
	}
}