New Chameleon banking trojan is stealing account info — what you need to know

A picture visualizing a lure pulling a credit card from a phone, depicting how banking trojans steal credit card data
(Image credit: Shutterstock)

A newly discovered Android banking trojan could be hiding among your other apps. One with the ability to change its app icon as it steals your passwords, text messages and other sensitive data.

According to a new report by the cybersecurity firm Cyble, security researchers discovered a new banking trojan that they have dubbed “Chameleon,” based on the commands used by the malware powering it.

The Chameleon banking trojan has been active since January of this year, and (like other Android malware) it abuses the operating system’s Accessibility Service to perform malicious activities. However, one thing that sets it apart from other banking trojans is the fact that Chameleon pretends to be other popular apps and can even change its icon to hide in plain sight.

So far, Cyble’s researchers have observed the banking trojan using the icons of ChatGPT, Chrome and other apps though it also uses pictures of popular cryptocurrencies like Bitcoin or Litecoin to disguise itself as well.

Stealing account info and disabling Google Play Protect

Based on Cyble’s investigation, it appears that malicious apps used to spread the Chameleon banking trojan are distributed through hacked websites, Discord attachments and Bitbucket hosting services.

Even though Chameleon is still relatively new and is in the early stages of development, it already has a wide range of malicious capabilities and the banking trojan can perform keylogging, launch overlay attacks, harvest SMS text messages, prevent itself from being uninstalled, steal cookies and automatically uninstall itself.

Another interesting capability already found in Chameleon is its lock grabber which can steal a victim’s device password.

One thing that makes this new malware strain particularly dangerous is that it can disable Google Play Protect on an infected smartphone. For those unfamiliar, Google Play Protect is Google’s own Android antivirus app which scans both your existing apps and any new apps you download for malware and removes them.

Another interesting capability already found in Chameleon is its lock grabber which can steal a victim’s device password. Surprisingly, the lock grabber can even identify whether you’re using a password, PIN or even a swipe pattern before saving the password used to unlock your Android smartphone.

How to stay safe from banking trojans and other Android malware

A hand holding a phone securely logging in

(Image credit: Google)

At the moment, the Chameleon banking trojan is primarily being used to target Android users in Australia by disguising itself as a legitimate cryptocurrency exchange called CoinSpot. However, at the end of its report on the matter, Cyble notes that there is certainly potential for the malware behind it to become more sophisticated over time with new features as it expands its target base to users in other countries.

To protect yourself from the Chameleon banking trojan and other Android malware, installing one of the best Android antivirus apps is your best bet since this new malware strain is capable of getting around the protection offered by Google Play Protect. At the same time, you should avoid sideloading apps and instead, you should only download new apps from official app stores like the Google Play Store.

Since Chameleon steals PINs and other forms of Android lock screen passwords, you’re better off using biometrics like your fingerprint or facial recognition to unlock your phone. Likewise, you want to be cautious about opening links received via text messages or emails from unknown senders on your smartphone.

Chameleon may be a new Android banking trojan but it has the potential to be a real threat to Android users around the world.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.