Chameleon Android Malware Discovered in the Wild, Threatening Mobile Devices
- Written by Ari Denial Cybersecurity & Tech Writer
Cyble Research & Intelligence Labs (CRIL) recently discovered a new strain of Android Banking Trojan, named “Chameleon,” which appears to be unrelated to any known Trojan families.
The malware is identified based on the commands used by the Trojan. The Trojan has been active since January 2023 and is observed specifically targeting users in Australia and Poland.
The Trojan is designed to carry out malicious activities by utilizing the Accessibility Service, similar to other Banking Trojans. The malware is capable of impersonating popular cryptocurrency app CoinSpot, a government agency in Australia, and IKO bank from Poland. This impersonation allows the Trojan to deceive unsuspecting victims and gain access to sensitive information.
The Chameleon Banking Trojan employs various evasion techniques upon launch to avoid detection by security software. These evasion techniques include anti-emulation checks, which can detect if the device is rooted or if debugging is enabled. This is done to increase the likelihood that the app is running in an analyst’s environment.
It can also disable Google Play Protect and prevent the user from uninstalling it. Upon initial connection with the Command-and-Control server (C2), Chameleon sends crucial device information such as the device version, model, root status, country, and precise location. This information is likely used to profile the new infection.
This Trojan loads malicious modules in the background depending on the entity it impersonates. These modules include a cookie stealer, keylogger, phishing page injector, lock screen PIN/pattern grabber, and SMS stealer.
The Accessibility Service is abused to carry out these data-stealing activities, allowing the malware to monitor screen content, intervene to modify interface elements, or send certain API calls as needed. The service is also used to prevent the malware from being uninstalled by identifying removal attempts and deleting shared preference variables.
The Trojan is considered an emerging threat, and future versions may have additional features and capabilities. Android users are advised to exercise caution when downloading apps, use only official app stores, and keep Google Play Protect enabled at all times.
CISA Adds Chinese Shopping App-Infected Android Zero-Day to KEV Catalog
- Written by Ari Denial Cybersecurity & Tech Writer
A Chinese e-commerce app Pinduoduo has been accused of exploiting a high-severity Android vulnerability as a zero-day to spy on its users, according to a warning issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
The vulnerability, tracked as CVE-2023-20963 , is an Android Framework security flaw that enables attackers to elevate privileges on unpatched Android devices without user interaction.
Google’s suspension of the Pinduoduo app coincides with increasing tensions between the US and China over security concerns. CISA has added CVE-2023-20963 to its Known Exploited Vulnerabilities (KEV) list, citing Lookout’s findings that the Chinese e-commerce app exploited the Android Framework security flaw in the wild to spy on users.
Lookout’s telemetry data suggests that many victims were located outside of China, including in the US.
The vulnerability allows attackers to escalate privileges without user interaction, enabling the malicious code to perform various actions such as installing apps, removing apps, and accessing private data from third-party apps.
The discovery of an Android exploit being used by a popular app like Pinduoduo for financial gain and competitive advantage is a worrying shift in the threat landscape, according to Justin Albrecht, a threat intelligence researcher at Lookout. He added that the privileges gained by exploiting this vulnerability let the malicious code install apps and grant permissions, among other things.
Meanwhile, Bud Broomhead, CEO at Viakoo, said Android phones are good places to plant bots and form a botnet army, and the vendor of Pinduoduo has not been proactive in alerting users about the vulnerability.
CEO of Approov, Ted Miracco, has raised concerns about the security of Android devices following recent zero-day vulnerabilities discovered in them. Miracco said that while zero-day vulnerabilities are dangerous, both iOS and Android devices are vulnerable, and no operating system is immune to such security threats. Apple announced earlier this week that it had patched two zero-day vulnerabilities affecting iPhones, iPads, and Macs, which were added to CISA’s KEV catalog.
CISA has instructed federal agencies to patch two zero-day vulnerabilities that have been exploited in the wild by May 1st, affecting iPhones and Macs.
