Member Blog

Unmasking Chameleon Malware: A New Android Banking Trojan Threat


In the ever-evolving landscape of cybersecurity, a stealthy adversary known as “Chameleon” has emerged, targeting Android devices with malicious intent. Discovered by leading cybersecurity experts, this banking Trojan sets itself apart with its unique attributes, bearing a semblance to Xenomorph samples. Feedzai delves into the intricacies of the Chameleon malware, exploring its origins, functionalities, attack patterns, and protective measures.

Unraveling Chameleon Malware

Chameleon malware, detected earlier this year, has made its presence felt primarily in Australia and Poland since January 2023. Deviously camouflaged as legitimate applications, the Trojan has impersonated reputable entities like the CoinSpot cryptocurrency exchange, an Australian government agency, and the IKO bank.

Under the Hood: How Chameleon Operates

Once infiltrated, Chameleon sets its malicious gears in motion. It brazenly pilfers sensitive user data, including credentials, cookies, and SMS texts. The Trojan’s modus operandi also involves superimposing counterfeit login screens onto genuine apps, craftily luring users into divulging their credentials. Chameleon’s agility shines through in its distribution methods, which include compromised websites, Discord attachments, and Bitbucket hosting services. As this malware evolves, its sophistication is poised to grow.

Devious Exploits of Chameleon

Once nestled within a device, Chameleon flexes its malicious muscles, engaging in a gamut of nefarious activities:

  1. Stealthy theft of credentials from banking apps, cryptocurrency wallets, and financial services.
  2. Creation of counterfeit login overlays to ensnare unsuspecting users.
  3. Pilfering of cookies and session data.
  4. Capture of SMS messages to bypass 2FA systems.
  5. Acquisition of device passwords, be it PINs, swipe patterns, or passwords.
  6. Foiling malware analysis through anti-emulation techniques and disabling Google Play Protect


Unveiling Chameleon’s Traits

Though recently unearthed, Chameleon’s discovery swiftly prompted recognition from over 36 antivirus engines. The Trojan’s trickery extends to its use of the accessibility service, a hallmark of banking Trojans. Astonishingly, Chameleon mimics familiar applications like CoinSpot, Google Chrome, and even ChatGPT. Its focus currently lies on targeting users in Australia and Poland, but the potential for expansion to other regions looms.

Chameleon boasts a robust architecture that permits the integration of new features, functionalities, and obfuscation methods. Its distribution thrives through Discord links, Bitbucket hosting, and compromised websites, with no traces on Google Play.

The Trojan employs cunning tactics, such as automatic downloads triggered by URL entries in browsers. Consequently, users must disable automatic downloads in browser settings to thwart such ploys.

Loaded with destructive capabilities like keylogging, overlay attacks, SMS capture, and uninstallation prevention, Chameleon underscores the importance of cautious app installations and robust device configurations.

Chameleon’s Intrusive Permissions

The Trojan’s audacity is laid bare through the permissions it demands, contrasting starkly with those expected of its impersonated counterparts. From altering phone states to accessing contacts and capturing SMS, Chameleon’s reach extends to more invasive domains like audio recording and phone state manipulation.

Shielding Against Chameleon’s Sting

For those suspecting Chameleon’s presence on their Android devices, proactive steps are paramount:

  1. Employ a reputable antivirus or anti-malware program to scan your device.
  2. Uninstall unrecognized and suspicious apps.
  3. Alter online account passwords and mobile device lock patterns.
  4. Exercise caution when installing apps, opting for trusted sources.
  5. Access our threat analysis report for deeper insights into Chameleon’s menace.
  6. A collective defense against threats like Chameleon hinges on collaboration. Reporting suspicious activities and
  7. sharing insights empower the community to thwart and mitigate these dangers.


Make sure to stay informed on the most recent information on Chameleon malware by checking the latest article on Feedzai!

Share this Article
Related Insights
Since 2014, Holland FinTech has been mapping the fintech landscape, in the Netherlands and abroad.
Landing in the Netherlands
New to the Netherlands? Want to know who is who and where to meet them? Read all about the Dutch market, and find your path to successful market access!
Amsterdam Fintech Week
Amsterdam FinTech Week is back on 12-15 September! Be a sponsor, co-organizer, or just participate at the summit or one of the countless side events.

How likely are you to recommend Holland FinTech?