{
	"id": "704a2b09-c9d6-4e5b-9841-7234eca3c240",
	"created_at": "2026-04-06T00:19:41.722029Z",
	"updated_at": "2026-04-10T13:11:33.446247Z",
	"deleted_at": null,
	"sha1_hash": "5ce0bd43c545568b940876d96e9ce1405d3f9c04",
	"title": "Cyble - Chameleon: A New Android Malware Spotted In The Wild",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2276467,
	"plain_text": "Cyble - Chameleon: A New Android Malware Spotted In The Wild\r\nPublished: 2023-04-13 · Archived: 2026-04-05 14:11:21 UTC\r\nCRIL analyzes the newly discovered Android Banking Trojan \"Chameleon\" targeting users from Australia and Poland.\r\nBanking Trojan targeting mobile users in Australia and Poland\r\nCyble Research \u0026 Intelligence Labs (CRIL) has identified a novel Android Banking Trojan, which we are referring to as\r\n“Chameleon,” based on the commands used by the malware primarily due to the fact that the malware appears to be a new\r\nstrain and seems unrelated to any known Trojan families. The Trojan has been active since January 2023 and is specifically\r\nobserved targeting users in Australia and Poland.\r\nThe Chameleon Banking Trojan utilizes the Accessibility Service to perform malicious activities like other Banking Trojans.\r\nThe malware pretends to be the popular cryptocurrency app CoinSpot, a government agency in Australia, and IKO bank\r\nfrom Poland.\r\nWorld's Best AI-Native Threat Intelligence\r\nIn January 2023, the Trojan was observed using icons of different software, such as ChatGPT, Chrome, Bitcoin, etc., to\r\ninfect Android users, as illustrated in the image below.\r\nhttps://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/\r\nPage 1 of 11\n\nFigure 1 – Icons used by malware\r\nChameleon malicious applications are distributed through compromised websites, Discord attachments, and Bitbucket\r\nhosting services. The following URLs are known to be used for distributing the malware:\r\nhxxps://www[.]renatsoft.com[.]br/CoinSpot[.]apk\r\nhxxps://bitbucket[.]org/leaanner173/3/downloads/ATO.apk\r\nhxxps://cdn.discordapp[.]com/attachments/1056744010670145596/1057757995200696391/Crypto_Collector[.]apk\r\nhxxps://cdn.discordapp[.]com/attachments/1051452726615216201/1056574187218681936/LTC_GiveAway[.]apk\r\nhxxps://cdn[.]discordapp.com/attachments/1056744010670145596/1057757994584117338/BCH_Cash[.]apk\r\nhxxps://bitbucket[.]org/emmon11/download/downloads/AdultFriendFinderApp[.]apk\r\nThe Chameleon Banking Trojan has the following capabilities:\r\nKeylogging\r\nOverlay attack\r\nSMS-harvesting\r\nPreventing uninstallation\r\nCookie stealer\r\nLock grabber\r\nAnti-emulation technique\r\nAuto-uninstallation\r\nDisabling Google Play Protect\r\nThe Chameleon Banking Trojan is currently in its early stages of development and has limited capabilities. Its primary\r\nmethod of stealing users’ credentials is through injection and keylogging techniques. However, it is possible that new\r\nfeatures may be added to the malware in the future.\r\nhttps://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/\r\nPage 2 of 11\n\nThis analysis focuses on a recently discovered malware sample called CoinSpot.apk, with the SHA-256 hash value of\r\n153410238d01773e5c705c6d18955793bd61cb2e82c5c7656e74563bb43b3ffa.\r\nThe malware is disguised as a legitimate cryptocurrency application called CoinSpot from Australia and connects to a\r\nCommand and Control (C\u0026C) server  hxxp://146.70.41[.]143:7242/.\r\nThe image below displays the control panel of the Chameleon Banking Trojan.\r\nFigure 2 – Control Panel of Chameleon Banking Trojan\r\nTechnical Analysis\r\nAPK Metadata Information\r\nApp Name: CoinSpot\r\nPackage Name: com.top.omit\r\nSHA256 Hash: 153410238d01773e5c705c6d18955793bd61cb2e82c5c7656e74563bb43b3ffa\r\n  The below figure shows the metadata information of the application. \r\nFigure 3 – Application metadata information\r\nThe malware initially performs anti-emulation checks, including verifying whether the device is rooted or debugging is\r\nactivated. If the malware identifies any one of these emulation checks, it will terminate its execution.\r\nThe below figure shows the code used by malware for anti-emulation checks.\r\nhttps://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/\r\nPage 3 of 11\n\nFigure 4 – Anti-emulation checks\r\nUpon identifying the targeted device, the Chameleon Banking Trojan requests the victim to activate the Accessibility\r\nService. Once the victim grants permission, the malware exploits the Accessibility Service to automatically grant\r\npermissions, prevent uninstallation, disable Play Protect, and perform other malicious activities.\r\nFigure 5 – Abusing Accessibility Service\r\nMeanwhile, in the background, the malware connects to the C\u0026C server hxxp://146.70.41[.\r\n[143:7242/api/v1/bots/a2dee0d3-9c1e-e1aa75fce-88c64b9a9de and sends the basic device information such as device\r\nversion, model, root status, county, and location as shown in the below image.\r\nFigure 6 – Malware sending the basic device information\r\nCookie Stealer:\r\nAfter sending the basic device information, the malware opens the legitimate CoinSpot URL https://www.coinspot.com.au in\r\na WebView, but in the background, it silently steals the cookies of the loaded URL and sends them to the server using the\r\nhttps://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/\r\nPage 4 of 11\n\n‘cookies’ command.\r\nFigure 7 – Malware stealing cookie for URLs loaded into WebView\r\nThe malware uses the below URL pattern to communicate with its C\u0026C server for performing different malicious activities:\r\n/task – malware sends a GET request and can receive a command in response to execute malicious tasks\r\n/log – malware sends stolen data from the victim’s device\r\n/statistic – malware sends accessibility log\r\nKeylogger:\r\nThe malware has incorporated keylogging capabilities by exploiting the Accessibility Service. The malware monitors and\r\ncaptures the keystrokes using the functions editLog() and writeLog(), and subsequently saves the keylogs in a database along\r\nwith the application package name. The keylogs are later sent to the C\u0026C server via the sendkeylogs() method.\r\nThe process is illustrated in the image below.\r\nFigure 8– Malware sending keay logs\r\nhttps://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/\r\nPage 5 of 11\n\nInjection:\r\nThe malware monitors the accessibility event and checks if the “injection” variable is set to “True.” Once this variable is\r\nfound to be “True”, the malware calls upon the inject() function, which cross-checks the application’s package name against\r\na list of targeted applications stored in a local database. If a match is found, the malware proceeds with the injection.\r\nFigure 9 – Starting injection activity\r\nThe injection is a process of creating an overlay on the targeted application by downloading HTML phishing pages from the\r\nC\u0026C server. The malware carries out validation to determine if the HTML phishing page for the targeted application has\r\nalready been stored in a database.\r\nIf the page is absent, the malware downloads it from the C\u0026C server and stores it in a database. Once the download process\r\nis finished, the malware loads the injection into a WebView, as demonstrated in the provided image.\r\nFigure 10 – Downloading HTML Phishing pages\r\nhttps://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/\r\nPage 6 of 11\n\nFigure 11 – Creating an overlay window on the targeted application\r\nLock Grabber:\r\nBy exploiting the Accessibility Service, the malware can steal the victim’s device password. First, it identifies the type of\r\nlock being used – whether it is a password, PIN, or even swipe pattern, and then saves the entered credentials into the\r\ndatabase with the lock_grabber command.\r\nFigure 12 – Malware finding lock pattern and fetching passwords\r\nFigure 13 – Storing stolen device password into a database\r\nSMS Stealer:\r\nhttps://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/\r\nPage 7 of 11\n\nThe malware has registered an SMSBroadcast Receiver to monitor incoming text messages from the victim’s device and\r\nsend the stolen messages to the C\u0026C server. The attacker can harvest the stolen messages later to obtain One-Time\r\nPasswords (OTP) and bypass the Two-Factor Authentication (2FA) system employed by the bank.\r\nFigure 14 – Malware stealing incoming SMSs\r\nThe Chameleon Banking Trojan utilizes shared preference variables such as “is_chameleon,” “app_chameleon”, and\r\n“app_chameleon_name” for auto-uninstallation and preventing uninstallation of the malware. Based on the usage of this\r\nshared preference variable, the malware is dubbed as “Chameleon Banking Trojan”.\r\nThe code displayed in the image below uses the Accessibility Service to identify whether the victim is performing any\r\nactions associated with uninstallation, implying that the victim may have suspicions that the installed app is harmful. If such\r\nactivity is identified, the malware examines the values saved in the shared preference variable and uninstalls itself from the\r\ndevice to erase any evidence of its existence.\r\nFigure 15 – Malware auto-uninstallation code\r\nThe malware contains an unused feature that enables it to download a payload during runtime. The code snippet shown in\r\nthe image illustrates how the malware downloads the payload and saves it as a “.jar” file. Later, the code uses\r\nDexClassLoader to execute the payload.\r\nFigure 16 – Downloading runtime module\r\nhttps://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/\r\nPage 8 of 11\n\nConclusion\r\nBased on our analysis, Chameleon Banking Trojan can pose a threat to Android users. The malware has been operational\r\nsince January 2023 and currently possesses the basic functionalities of a Banking Trojan.\r\nHowever, there is a potential for malware to introduce new and more sophisticated features in the future, which could\r\nexpand its target base beyond its current scope. If such features are introduced, it could potentially make Chameleon\r\nBanking Trojan a significant threat and put it in the same category as prominent and prevalent Banking Trojans.\r\nCyble Research \u0026 Intelligence Lab (CRIL) will continue to monitor the evolution of this malware and keep our readers\r\nupdated with our latest findings.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:\r\nDownload and install software only from official app stores like Google Play Store or the Apple App Store.\r\nUse a reputed antivirus and internet security software package on your connected devices, such as PCs, laptops, and\r\nmobile devices.\r\nNever share your Card Details, CVV number, Card PIN, and Net Banking Credentials on an untrusted source.\r\nUse strong passwords and enforce Multi-Factor Authentication wherever possible.\r\nEnable biometric security features such as fingerprint or facial recognition to unlock the mobile device whereever\r\npossible.\r\nBe wary of opening any links received via SMS or emails delivered to your phone.\r\nEnsure that Google Play Protect is enabled on Android devices.\r\nBe careful while enabling any permissions.\r\nKeep your devices, operating systems, and applications up to date with the latest software.\r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nInitial Access T1476 Deliver Malicious App via Other Means.\r\nInitial Access T1444 Masquerade as a Legitimate Application\r\nCollection T1517 Access Notifications\r\nCollection T1409 Access Stored Application Data\r\nDiscovery T1418 Application Discovery\r\nPersistence T1402 Broadcast Receivers\r\nCollection T1412 Capture SMS Messages\r\nImpact T1510 Clipboard Modification\r\nDefense Evasion T1523 Evade Analysis Environment\r\nCollection T1417 Input Capture\r\nhttps://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/\r\nPage 9 of 11\n\nDefense Evasion T1406 Obfuscated Files or Information\r\nDefense Evasion T1508 Suppress Application Icon\r\nDefense Evasion T1576 Uninstall Malicious Application\r\nIndicators of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n153410238d01773e5c705c6d18955793bd61cb2e82c5c7656e74563bb43b3ffa\r\nSHA256\r\n \r\nCoinSpot.apk\r\na8afa19a4aa30b144387101a58e7f52335f24eeb SHA1   CoinSpot.apk\r\n382e4022f901ebc2fa15a168a8dc5a20 MD5 CoinSpot.apk\r\nhxxp://146.70.41[.[143:7242 URL C\u0026C server\r\nbe125a98ba01f1bd318271b5de8114da139e5f78449ab3eb69c5aa4934026aed\r\nSHA256\r\n \r\nCrypto_Collector.apk\r\n4efe3b31836f9a319a8ad9fcfe1f0502b94a8c8f SHA1   Crypto_Collector.apk\r\n8cc3a9caed337dca0db40fb02db40fd9 MD5 Crypto_Collector.apk\r\ncb507f6a2406274b56150f56bb7ef7cfd88f79600768f25b4a7d5441ec987835\r\nSHA256\r\n \r\nIKO.apk\r\n26f9e235d2460d453671dfe96cc559e0cfcc159a SHA1   IKO.apk\r\n36b8c9f74c5fc5c1c4eae1d6efadab37 MD5 IKO.apk\r\n55884b3b0018b42e500c8ca427d8ae3b3174d9efca5aa57b34eb9202cb84913a\r\nSHA256\r\n \r\nATO.apk\r\n53d25f56db36e0f1bd802209d6b745e2e9e9e8ef SHA1   ATO.apk\r\n15243aa12a4e37db66278c16b50ee60d MD5 ATO.apk\r\n141e37754fa555e45eabe99ee7c854ab2d9f8b8ad89a73376f72c703602e3d17\r\nSHA256\r\n \r\nChameleon\r\nmasquerading as\r\nChatGPT\r\n7c7261c6c046410af097ddb4ada7007ada78d51e SHA1  \r\nChameleon\r\nmasquerading as\r\nChatGPT\r\n2b33d114fb8f3bd7065b46889afc1c44 MD5\r\nChameleon\r\nmasquerading as\r\nChatGPT\r\nhttps://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/\r\nPage 10 of 11\n\n60b0e7e09fe91aa785b85315aad3850e7f47f70a5aab7ae9ef31ad1c50477f55\r\nSHA256\r\n \r\nBCH_Cash.apk\r\n59c6ef85e25b688d8000e697ad2f3f7420dc7820 SHA1   BCH_Cash.apk\r\nb8019c6df196812517c445f802143d08 MD5 BCH_Cash.apk\r\nef0785dcdfe4fff99dc79bd89f1d1c2b207e67cb8fe6940127dd655ec202a770\r\nSHA256\r\n \r\nLTC_GiveAway.apk\r\n169bac058fe715dcee0625fe7e968396423800c9 SHA1   LTC_GiveAway.apk\r\n9f2b9c10e2d24e15da443d3c607edc0f MD5 LTC_GiveAway.apk\r\nSource: https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/\r\nhttps://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"
	],
	"report_names": [
		"chameleon-a-new-android-malware-spotted-in-the-wild"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434781,
	"ts_updated_at": 1775826693,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5ce0bd43c545568b940876d96e9ce1405d3f9c04.pdf",
		"text": "https://archive.orkl.eu/5ce0bd43c545568b940876d96e9ce1405d3f9c04.txt",
		"img": "https://archive.orkl.eu/5ce0bd43c545568b940876d96e9ce1405d3f9c04.jpg"
	}
}