Chameleon Android Trojan Offers Biometric Bypass

A more sophisticated version of a work in progress malware is impersonating a Google Chrome app to attack a wider swath of mobile users.

A new variant of an Android
banking Trojan
has appeared that can
bypass biometric security
to break into devices, demonstrating an evolution in the malware that attackers now are wielding against a wider range of victims.
The Chameleon banking Trojan — so-named for its ability to adapt to its environment through multiple new commands — first appeared on the scene in a work-in-progress version in January, specifically to target users in Australia and Poland. Spread through phishing pages, the malwares behavior then was characterized by an ability to impersonate trusted apps, disguising itself as institutions like the Australian Taxation Office (ATO) and popular
banking apps
in Poland to steal data from user devices.
Now, researchers at Threat Fabric have spotted a new, more sophisticated version of Chameleon that also targets
Android users
in the UK and Italy, and spreads through a Dark Web
Zombinder app-sharing service
disguised as a Google Chrome app,
they revealed
in a blog post published Dec. 21.
The variant includes several new features that make it even more dangerous to Android users that its previous incarnation, including a new ability to interrupt the biometric operations of the targeted device, the researchers said.
By unlocking biometric access (facial recognition or fingerprint scans, for example), attackers can access PINs, passwords, or graphical keys through keylogging functionalities, as well as unlock devices using previously stolen PINs or passwords. This functionality to effectively bypass biometric security measures is a concerning development in the landscape of mobile malware, according to Threat Fabrics analysis.
The variant also has an expanded feature that leverages Androids Accessibility service for device takeover attacks, as well as a capability found in many other trojans to allow task scheduling using the AlarmManager API, the researchers found.
These enhancements elevate the sophistication and adaptability of the new Chameleon variant, making it a more potent threat in the ever-evolving landscape of mobile banking trojans, they wrote.
Overall, the three distinct new features of Chameleon demonstrate how threat actors respond to and continuously seek to bypass the latest security measures designed to combat their efforts, according to Threat Fabric.
The malwares key new ability to disable biometric security on the device is enabled by issuing the command interrupt_biometric, which executes the InterruptBiometric method. The method uses Androids KeyguardManager API and AccessibilityEvent to assess the device screen and keyguard status, evaluating the state of the latter in terms of various locking mechanisms, such as pattern, PIN, or password.
Upon meeting the specified conditions, the malware uses this action to transition from
biometric authentication
to PIN authentication, bypassing the biometric prompt and allowing the Trojan to unlock the device at will, the researchers found.
This, in turn, provides attackers with two advantages: making it easy to steal personal data such as PINs, passwords, or graphical keys, and allowing them to enter biometrically protected devices using previously stolen PINs or passwords by leveraging Accessibility, according to Threat Fabric.
So although the victims biometric data remains out of reach for actors, they force the device to fall back to PIN authentication, thereby bypassing biometric protection entirely, according to the post.
Another key new feature is an HTML prompt to enable the Accessibility service, on which Chameleon depends to launch an attack
to take over the device
. The feature involves a device-specific check activated upon the receipt of the command android_13 from the command-and-control (C2) server, displaying an HTML page that prompts users to enable the Accessibility service and then guiding them through a manual step-by-step process.
A third feature in the new variant introduces a capability also found in many other banking Trojans, but which until now Chameleon did not have: task scheduling using the AlarmManager API.
However, as opposed to other manifestations of this feature in banking Trojans, Chameleons implementation takes a dynamic approach, efficiently handling accessibility and activity launches in line with standard trojan behavior, according to Threat Fabric. It does this by supporting a new command that can determine whether accessibility is enabled or not, dynamically switching between different malicious activities depending on the state of this feature on the device.
The manipulation of accessibility settings and dynamic activity launches further underscore that the new Chameleon is a sophisticated Android malware strain, according to Threat Fabric.
With attacks
against Android devices soaring
, its more crucial than ever for mobile users to
be wary of downloading
any applications on their device that seem suspicious or arent distributed through legitimate app stores, security experts advise.
As threat actors continue to evolve, this dynamic and vigilant approach proves essential in the ongoing battle against sophisticated cyber threats, the researchers wrote.
Threat Fabric managed to track and analyze samples of Chameleon related to the updated Zombinder, which uses

a sophisticated two-staged payload process to drop the Trojan. They employ the SESSION_API through PackageInstaller, deploying the Chameleon samples along with the Hook malware family, according to the post.
Threat Fabric published indicators of compromise (IoCs) in its analysis, in the form of hashes, app names, and package names associated with Chameleon so users and administrators can monitor for potential infection by the Trojan.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Chameleon Android Trojan Offers Biometric Bypass