S1083 Chameleon
Chameleon is an Android banking trojan that can leverage Android’s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, Chameleon has been observed targeting users in Australia and Poland by masquerading as official applications. A new variant of Chameleon has expanded its targets to include Android users in the United Kingdom and Italy.12
| Item | Value |
|---|---|
| ID | S1083 |
| Associated Names | |
| Type | MALWARE |
| Version | 2.0 |
| Created | 16 August 2023 |
| Last Modified | 24 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1453 | Abuse Accessibility Features | After accessibility permissions are granted, Chameleon has used the Accessibility Service to perform a variety of actions, such as switching from biometric authentication to PIN authentication, automatically granting additional permissions, preventing uninstallation, disabling Play Protect.12 |
| mobile | T1517 | Access Notifications | Chameleon has registered as an SMSBroadcast receiver to monitor incoming SMS messages.1 |
| mobile | T1437 | Application Layer Protocol | Chameleon has used a SOCKS proxy.2 |
| mobile | T1437.001 | Web Protocols | Chameleon has used HTTP to communicate with the C2 server.1 |
| mobile | T1616 | Call Control | Chameleon has the ability to control calls.2 |
| mobile | T1533 | Data from Local System | Chameleon has gathered cookies and device logs.12 |
| mobile | T1407 | Download New Code at Runtime | Chameleon has the ability to download new code at runtime.1 |
| mobile | T1646 | Exfiltration Over C2 Channel | Chameleon has sent stolen data over HTTP.1 |
| mobile | T1629 | Impair Defenses | - |
| mobile | T1629.001 | Prevent Application Removal | Chameleon has prevented application removal by abusing Accessibility Services.12 |
| mobile | T1629.003 | Disable or Modify Tools | Chameleon has the ability to disable Google Play Protect.12 |
| mobile | T1630 | Indicator Removal on Host | Chameleon has removed artifacts of its presence and has the ability to uninstall itself.1 |
| mobile | T1544 | Ingress Tool Transfer | Chameleon has downloaded HTML overlay pages after installation.1 |
| mobile | T1417 | Input Capture | - |
| mobile | T1417.001 | Keylogging | Chameleon has logged keystrokes of an infected device.1 Additionally, Chameleon has stolen PINs, passwords and graphical keys through keylogging functionalities.2 |
| mobile | T1417.002 | GUI Input Capture | Chameleon has performed overlay attacks against a device by injecting HTML phishing pages into a webview.1 Chameleon has launched overlay attacks through the “Injection” activity.2 |
| mobile | T1430 | Location Tracking | Chameleon has gathered device location data.1 |
| mobile | T1461 | Lockscreen Bypass | Chameleon has the ability to bypass the biometric prompt for unlocking an infected device, forcing the victim to use PIN authentication. To do so, Chameleon will first check specified conditions, then will use the AccessibilityEvent action to transition from biometric authentication to PIN authentication.2 |
| mobile | T1655 | Masquerading | - |
| mobile | T1655.001 | Match Legitimate Name or Location | Chameleon has disguised itself as legitimate applications, such as a cryptocurrency application called ‘CoinSpot,’ the IKO banking application in Poland, and an application used by the Australian Taxation Office (ATO). It has also used familiar icons, such as the Chrome and Bitcoin logos.12 |
| mobile | T1575 | Native API | Chameleon has used the KeyguardManager API to evaluate the device’s locking mechanism and the AlarmManager API to schedule tasks.2 |
| mobile | T1509 | Non-Standard Port | Chameleon has communicated over port 7242 using HTTP.1 |
| mobile | T1660 | Phishing | Chameleon has been distributed using phishing links and a Content Distribution Network (CDN) for file distribution.2 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.004 | SMS Messages | Chameleon has gathered SMS messages.1 |
| mobile | T1603 | Scheduled Task/Job | Chameleon has used the AlarmManager API to schedule tasks.2 |
| mobile | T1513 | Screen Capture | Chameleon has captured the device’s screen.2 |
| mobile | T1418 | Software Discovery | Chameleon has read the name of application packages.1 |
| mobile | T1426 | System Information Discovery | Chameleon has the ability to gather basic device information, such as version, model, root status, and country.1 Chameleon has also checked the restricted settings status of the device. If the Android 13 Restricted Settings status is present, an HTML page with instructions on how to enable the Accessibility Service will be shown to the user. Additionally, Chameleon has checked the keyguard’s status regarding how the device is locked (e.g. pattern, PIN or password).2 |
| mobile | T1633 | Virtualization/Sandbox Evasion | - |
| mobile | T1633.001 | System Checks | Chameleon has performed system checks to verify if the device is rooted or has ADB enabled; if found, Chameleon will avoid execution.1 |
References
-
Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩