Cyble-Blogs-Chameleon

Chameleon: A New Android Malware Spotted In The Wild

Banking Trojan targeting mobile users in Australia and Poland

Cyble Research & Intelligence Labs (CRIL) has identified a novel Android Banking Trojan, which we are referring to as “Chameleon,” based on the commands used by the malware primarily due to the fact that the malware appears to be a new strain and seems unrelated to any known Trojan families. The Trojan has been active since January 2023 and is specifically observed targeting users in Australia and Poland.

The Chameleon Banking Trojan utilizes the Accessibility Service to perform malicious activities like other Banking Trojans. The malware pretends to be the popular cryptocurrency app CoinSpot, a government agency in Australia, and IKO bank from Poland.

In January 2023, the Trojan was observed using icons of different software, such as ChatGPT, Chrome, Bitcoin, etc., to infect Android users, as illustrated in the image below.

Figure 1 – Icons used by malware

Chameleon malicious applications are distributed through compromised websites, Discord attachments, and Bitbucket hosting services. The following URLs are known to be used for distributing the malware:

  • hxxps://www[.]renatsoft.com[.]br/CoinSpot[.]apk
  • hxxps://bitbucket[.]org/leaanner173/3/downloads/ATO.apk
  • hxxps://cdn.discordapp[.]com/attachments/1056744010670145596/1057757995200696391/Crypto_Collector[.]apk
  • hxxps://cdn.discordapp[.]com/attachments/1051452726615216201/1056574187218681936/LTC_GiveAway[.]apk
  • hxxps://cdn[.]discordapp.com/attachments/1056744010670145596/1057757994584117338/BCH_Cash[.]apk
  • hxxps://bitbucket[.]org/emmon11/download/downloads/AdultFriendFinderApp[.]apk

The Chameleon Banking Trojan has the following capabilities:

  • Keylogging
  • Overlay attack
  • SMS-harvesting
  • Preventing uninstallation
  • Cookie stealer
  • Lock grabber
  • Anti-emulation technique
  • Auto-uninstallation
  • Disabling Google Play Protect

The Chameleon Banking Trojan is currently in its early stages of development and has limited capabilities. Its primary method of stealing users’ credentials is through injection and keylogging techniques. However, it is possible that new features may be added to the malware in the future.

This analysis focuses on a recently discovered malware sample called CoinSpot.apk, with the SHA-256 hash value of 153410238d01773e5c705c6d18955793bd61cb2e82c5c7656e74563bb43b3ffa.

The malware is disguised as a legitimate cryptocurrency application called CoinSpot from Australia and connects to a Command and Control (C&C) server  hxxp://146.70.41[.]143:7242/.

The image below displays the control panel of the Chameleon Banking Trojan.

Figure 2 – Control Panel of Chameleon Banking Trojan

Technical Analysis

 

APK Metadata Information

  • App Name: CoinSpot
  • Package Name: com.top.omit
  • SHA256 Hash: 153410238d01773e5c705c6d18955793bd61cb2e82c5c7656e74563bb43b3ffa

  The below figure shows the metadata information of the application. 

Figure 3 – Application metadata information

The malware initially performs anti-emulation checks, including verifying whether the device is rooted or debugging is activated. If the malware identifies any one of these emulation checks, it will terminate its execution.

The below figure shows the code used by malware for anti-emulation checks.

Figure 4 – Anti-emulation checks

Upon identifying the targeted device, the Chameleon Banking Trojan requests the victim to activate the Accessibility Service. Once the victim grants permission, the malware exploits the Accessibility Service to automatically grant permissions, prevent uninstallation, disable Play Protect, and perform other malicious activities.

Figure 5 – Abusing Accessibility Service

Meanwhile, in the background, the malware connects to the C&C server hxxp://146.70.41[.[143:7242/api/v1/bots/a2dee0d3-9c1e-e1aa75fce-88c64b9a9de and sends the basic device information such as device version, model, root status, county, and location as shown in the below image.

Figure 6 – Malware sending the basic device information

Cookie Stealer:

After sending the basic device information, the malware opens the legitimate CoinSpot URL https://www.coinspot.com.au in a WebView, but in the background, it silently steals the cookies of the loaded URL and sends them to the server using the ‘cookies’ command.

Figure 7 – Malware stealing cookie for URLs loaded into WebView

The malware uses the below URL pattern to communicate with its C&C server for performing different malicious activities:

  • /task – malware sends a GET request and can receive a command in response to execute malicious tasks
  • /log – malware sends stolen data from the victim’s device
  • /statistic – malware sends accessibility log

Keylogger:

The malware has incorporated keylogging capabilities by exploiting the Accessibility Service. The malware monitors and captures the keystrokes using the functions editLog() and writeLog(), and subsequently saves the keylogs in a database along with the application package name. The keylogs are later sent to the C&C server via the sendkeylogs() method.

The process is illustrated in the image below.

Figure 8– Malware sending keay logs

Injection:

The malware monitors the accessibility event and checks if the “injection” variable is set to “True.” Once this variable is found to be “True”, the malware calls upon the inject() function, which cross-checks the application’s package name against a list of targeted applications stored in a local database. If a match is found, the malware proceeds with the injection.

Figure 9 – Starting injection activity

The injection is a process of creating an overlay on the targeted application by downloading HTML phishing pages from the C&C server. The malware carries out validation to determine if the HTML phishing page for the targeted application has already been stored in a database.

If the page is absent, the malware downloads it from the C&C server and stores it in a database. Once the download process is finished, the malware loads the injection into a WebView, as demonstrated in the provided image.

Figure 10 – Downloading HTML Phishing pages

Figure 11 – Creating an overlay window on the targeted application

Lock Grabber:

By exploiting the Accessibility Service, the malware can steal the victim’s device password. First, it identifies the type of lock being used – whether it is a password, PIN, or even swipe pattern, and then saves the entered credentials into the database with the lock_grabber command.

Figure 12 – Malware finding lock pattern and fetching passwords

Figure 13 – Storing stolen device password into a database

SMS Stealer:

The malware has registered an SMSBroadcast Receiver to monitor incoming text messages from the victim’s device and send the stolen messages to the C&C server. The attacker can harvest the stolen messages later to obtain One-Time Passwords (OTP) and bypass the Two-Factor Authentication (2FA) system employed by the bank.

Figure 14 – Malware stealing incoming SMSs

The Chameleon Banking Trojan utilizes shared preference variables such as “is_chameleon,” “app_chameleon”, and “app_chameleon_name” for auto-uninstallation and preventing uninstallation of the malware. Based on the usage of this shared preference variable, the malware is dubbed as “Chameleon Banking Trojan”.

The code displayed in the image below uses the Accessibility Service to identify whether the victim is performing any actions associated with uninstallation, implying that the victim may have suspicions that the installed app is harmful. If such activity is identified, the malware examines the values saved in the shared preference variable and uninstalls itself from the device to erase any evidence of its existence.

Figure 15 – Malware auto-uninstallation code

The malware contains an unused feature that enables it to download a payload during runtime. The code snippet shown in the image illustrates how the malware downloads the payload and saves it as a “.jar” file. Later, the code uses DexClassLoader to execute the payload.

Figure 16 – Downloading runtime module

Conclusion

Based on our analysis, Chameleon Banking Trojan can pose a threat to Android users. The malware has been operational since January 2023 and currently possesses the basic functionalities of a Banking Trojan.

However, there is a potential for malware to introduce new and more sophisticated features in the future, which could expand its target base beyond its current scope. If such features are introduced, it could potentially make Chameleon Banking Trojan a significant threat and put it in the same category as prominent and prevalent Banking Trojans.

Cyble Research & Intelligence Lab (CRIL) will continue to monitor the evolution of this malware and keep our readers updated with our latest findings.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

  • Download and install software only from official app stores like Google Play Store or the Apple App Store.
  • Use a reputed antivirus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Never share your Card Details, CVV number, Card PIN, and Net Banking Credentials on an untrusted source.
  • Use strong passwords and enforce Multi-Factor Authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition to unlock the mobile device whereever possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications up to date with the latest software.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1476Deliver Malicious App via Other Means.
Initial AccessT1444Masquerade as a Legitimate Application
CollectionT1517Access Notifications
CollectionT1409Access Stored Application Data
DiscoveryT1418Application Discovery
PersistenceT1402Broadcast Receivers
CollectionT1412Capture SMS Messages
ImpactT1510Clipboard Modification
Defense EvasionT1523Evade Analysis Environment
CollectionT1417Input Capture
Defense EvasionT1406Obfuscated Files or Information
Defense EvasionT1508Suppress Application Icon
Defense EvasionT1576Uninstall Malicious Application

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
153410238d01773e5c705c6d18955793bd61cb2e82c5c7656e74563bb43b3ffa

SHA256  CoinSpot.apk
a8afa19a4aa30b144387101a58e7f52335f24eebSHA1  CoinSpot.apk
382e4022f901ebc2fa15a168a8dc5a20MD5CoinSpot.apk
hxxp://146.70.41[.[143:7242URLC&C server
be125a98ba01f1bd318271b5de8114da139e5f78449ab3eb69c5aa4934026aedSHA256  Crypto_Collector.apk
4efe3b31836f9a319a8ad9fcfe1f0502b94a8c8fSHA1  Crypto_Collector.apk
8cc3a9caed337dca0db40fb02db40fd9MD5Crypto_Collector.apk
cb507f6a2406274b56150f56bb7ef7cfd88f79600768f25b4a7d5441ec987835SHA256  IKO.apk
26f9e235d2460d453671dfe96cc559e0cfcc159aSHA1  IKO.apk
36b8c9f74c5fc5c1c4eae1d6efadab37MD5IKO.apk
55884b3b0018b42e500c8ca427d8ae3b3174d9efca5aa57b34eb9202cb84913aSHA256  ATO.apk
53d25f56db36e0f1bd802209d6b745e2e9e9e8efSHA1  ATO.apk
15243aa12a4e37db66278c16b50ee60dMD5ATO.apk
141e37754fa555e45eabe99ee7c854ab2d9f8b8ad89a73376f72c703602e3d17SHA256  Chameleon masquerading as ChatGPT
7c7261c6c046410af097ddb4ada7007ada78d51eSHA1  Chameleon masquerading as ChatGPT
2b33d114fb8f3bd7065b46889afc1c44MD5Chameleon masquerading as ChatGPT
60b0e7e09fe91aa785b85315aad3850e7f47f70a5aab7ae9ef31ad1c50477f55SHA256  BCH_Cash.apk
59c6ef85e25b688d8000e697ad2f3f7420dc7820SHA1  BCH_Cash.apk
b8019c6df196812517c445f802143d08MD5BCH_Cash.apk
ef0785dcdfe4fff99dc79bd89f1d1c2b207e67cb8fe6940127dd655ec202a770SHA256  LTC_GiveAway.apk
169bac058fe715dcee0625fe7e968396423800c9SHA1  LTC_GiveAway.apk
9f2b9c10e2d24e15da443d3c607edc0fMD5LTC_GiveAway.apk

Comments are closed.

Scroll to Top