As per a recent report by ThreatFabric, the Chameleon malware is presently being disseminated through a Zombinder service, masquerading as Google Chrome to operate discreetly.
For those unfamiliar with Zmobinder, it functions as a malware packer capable of injecting malicious code into authentic Android apps. This allows the compromised apps to evade detection, with cybercriminals claiming that their malicious bundles can elude Google Play Protect and even the most robust Android antivirus applications.
Apart from the innovative distribution method, this upgraded variant of Chameleon can present an HTML page on devices running Android 13 or later. This page prompts potential victims to grant the app permission to utilize the operating system’s Accessibility service. This addition is prompted by Android 13’s security feature, the Restricted setting, which blocks permissions like Accessibility susceptible to abuse by malicious apps. Since Accessibility would typically be blocked, the HTML page manually guides potential victims through the process to enable this permission.
Furthermore, this new iteration of the Chameleon banking trojan can disrupt biometric authentication methods such as fingerprint or face unlock on infected Android smartphones. Leveraging the Accessibility service, the malware compels the use of a PIN or password for unlocking or authentication. Subsequently, the malware captures these entered PINs or passwords for later use in unlocking a compromised device at any time.
Chameleon has also incorporated the ability to schedule tasks through the AlarmManager API, ensuring that the malware remains inactive during the regular operation of the infected phone. This scheduling enhances its stealth capabilities, helping it evade detection.
Ensuring protection against Android malware
Protecting yourself from Android malware becomes significantly challenging when dealing with services like Zombinder. Zombinder facilitates the injection of malicious code into legitimate apps, allowing them to avoid detection by both Google Play Protect and antivirus software.
To minimize the risk, it is advisable to avoid compromised apps altogether. One effective approach is refraining from sideloading apps onto your Android smartphone. Although installing apps as APK files is convenient, discerning their content is challenging. Opting for official app stores like the Google Play Store or approved third-party platforms such as the Amazon Appstore or Samsung Galaxy Store is recommended. These official stores meticulously scrutinize each app for potential threats.
As the threat intensifies, it is likely that Google is actively developing methods to detect apps injected with malware through Zombinder in Google Play Protect. Meanwhile, limiting the number of installed apps on your smartphone and avoiding unnecessary installations remain prudent strategies.