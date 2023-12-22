A new variant of the Chameleon banking trojan has emerged, bringing upgraded capabilities that allow it to disable fingerprint and face unlock features on Android phones in order to steal device PINs. This malware, distributed through a service called Zombinder, disguises itself as Google Chrome to avoid detection by Google Play Protect and antivirus software.

By presenting a fake HTML page, the malware prompts users to grant permission for the app to use the Accessibility service on devices running Android 13 or later. This bypasses the security feature called Restricted setting, which blocks permissions that can be exploited by malicious apps. Once granted permission, the Chameleon trojan forces users to enter a PIN or password instead of using biometric authentication.

Notably, this new variant of Chameleon has the ability to schedule tasks through the AlarmManager API, allowing it to operate discreetly when the infected phone is typically active, thus evading detection.

To protect themselves from this type of Android malware, users are advised to avoid sideloading apps onto their smartphones. Instead, it is recommended to only download apps from official app stores, such as the Google Play Store, the Amazon Appstore, or the Samsung Galaxy Store, as these platforms have robust security measures in place to detect and prevent malicious apps.

As the threat posed by Zombinder and similar services continues to grow, it is likely that Google will develop methods to detect apps injected with malware through Google Play Protect. In the meantime, it is crucial for users to limit the number of installed apps and exercise caution when downloading apps from unofficial sources. Taking these precautions will help mitigate the risk of falling victim to Android malware attacks.