Individuals in Australia and Poland have been subjected to attacks with the novel Android banking trojan
dubbed "Chameleon," since January, with the malware impersonating the cryptocurrency exchange CoinSpot, an Australian government agency, and Poland's IKO bank, according to BleepingComputer
Several compromised websites, Bitbucket hosting services, and Discord attachments have been leveraged to facilitate the distribution of Chameleon, which has credential, cookie, and SMS message exfiltration capabilities, a Cyble report showed.
Researchers noted that anti-emulation checks and other measures to evade detection of security software are being conducted by Chameleon upon execution. Once the environment is determined to be clean, Chameleon proceeds to seek Accessibility Service access to facilitate additional permissions, deactivate Google Play Protect, and prevent user uninstallation.
The report also showed that aside from a cookie stealer, Chameleon also features a phishing page injector, keylogger, SMS stealer, and lock screen PIN/pattern grabber.
Further updates could be applied to add more functionality to Chameleon, researchers said.