The Chameleon Android banking trojan [2], also known as Chameleon [1], has emerged as a significant threat [3], expanding its operations to target users in the United Kingdom (UK) and Italy [1]. This evolved malware specializes in executing Device Takeover (DTO) attacks using the accessibility service and carries out overlay attacks to gather sensitive user data. It is now being delivered through Zombinder [1] [5], a “dropper-as-a-service” utilized by cybercriminal groups [1].


The Chameleon Android banking trojan has evolved to perform Device Takeover (DTO) fraud by leveraging accessibility services. It disrupts biometric operations and alters the lock screen authentication mechanism to a PIN [1] [5] [6]. Traditional banking applications remain the primary targets [1], but fintech and commerce applications are increasingly affected as well [1]. The malware masquerades as the Google Chrome web browser and tricks users into enabling the accessibility service [5] [6]. This new variant demonstrates increased resilience and advanced features [5] [6], allowing attackers to bypass biometric security measures and gain access to PINs, passwords [2] [3] [7], and graphical keys [7]. It also leverages Android’s Accessibility service for device takeover attacks and uses the AlarmManager API for task scheduling [7]. Recent research has shown that 29 malware families targeted 1,800 banking applications across 61 countries over the past year [4], with the US [4], UK [7], and Italy being the top countries targeted [4].


The Chameleon Android banking trojan poses a significant threat to device security, with its ability to evolve and employ advanced tactics [2]. Users are advised to exercise caution when downloading Android package files and prioritize security measures to mitigate the risks associated with evolving mobile banking trojans [2]. The Trojan’s ability to disrupt biometrics underscores the persistent challenge of staying ahead of malicious actors in the dynamic landscape of mobile cybersecurity [2]. To protect against Chameleon and other Android malware [3], it is recommended to install an Android antivirus app and avoid sideloading apps [3]. Using biometrics like fingerprint or facial recognition is advised for unlocking phones [3], and caution should be exercised when opening links from unknown senders [3].