This nasty Android banking trojan can steal your PIN by disabling fingerprint unlock — how to stay safe

A picture of a skull and bones on a smartphone depicting malware
(Image credit: Shutterstock)

If you use your fingerprint instead of a PIN to unlock your phone because it’s more secure, you’re absolutely right. However, hackers have upgraded this Android malware to take over the best Android phones by disabling both fingerprint and face unlock in order to steal your device’s PIN.

As reported by BleepingComputer, the Chameleon banking trojan has recently resurfaced online with upgraded capabilities. Previous versions of this banking trojan were discovered earlier this year and they were used to impersonate government agencies, banks and crypto exchanges. 

Hackers also used Chameleon to perform keylogging, to inject overlays on top of popular apps for credential harvesting and to steal cookies and text messages on compromised phones.

With your PIN in hand, cybercriminals are able to unlock and access your smartphone at any time which makes it much easier to steal sensitive info from your phone as well as drain your bank accounts and steal from other financial apps.

Reader Offer: Save 68% on Aura identity theft protection

Reader Offer: Save 68% on Aura identity theft protection
Aura provides everything you need to protect your identity, data and devices online with malware protection, a password manager and a VPN all included. Tom's Guide readers can save up to 68% when they sign up.

Preferred partner (What does this mean?)

Impersonating Chrome to steal your phone’s PIN

According to a new report from ThreatFabric, the Chameleon malware is currently being distributed through a Zombinder service and to slide under the radar, it’s posing as Google Chrome.

For those unfamiliar with Zmobinder, it is actually a malware packer that can add malicious code to legitimate Android apps. This helps these now compromised apps avoid detection and the cybercriminals behind the service even claim that their malicious bundles can bypass Google Play Protect as well as the best Android antivirus apps.

Besides a new distribution method, this upgraded chameleon variant can display an HTML page on devices running Android 13 or later which is used to prompt potential victims to give the app permission to use the operating system's Accessibility service. The reason this feature was added is because Android 13 includes a security feature called Restricted setting which blocks permissions like Accessibility that can be abused by malicious apps. Since Accessibility would normally be blocked, the HTML page manually guides potential victims through the process to enable this permission.

In addition to this, this new version of the Chameleon banking trojan can interrupt biometrics like fingerprint or face unlock from being used on an infected Android smartphone. This feature also abuses the Accessibility service and it does so to force a PIN or password to be used to unlock a device or for authentication. From here, the malware captures these PINs or passwords when they’re entered and they can be used later to unlock a compromised device at any time.

Chameleon can now also schedule tasks through the AlarmManager API so that the malware isn’t working when the infected phone is normally active. This also helps it stay hidden and avoid being detected.

How to stay safe from Android malware

A hand holding a phone securely logging in

(Image credit: Google)

Protecting yourself from Android malware becomes a whole lot more difficult when services like Zombinder are in the mix. The reason being is that as I noted above, Zombinder allows legitimate apps with malicious code injected into them to evade detection by both Google Play Protect and antivirus software.

Due to this, you want to avoid these types of compromised apps entirely. The easiest way to do this is to not sideload apps onto your Android smartphone. While installing apps as APK files is convenient and quite fast, it’s very hard to tell what these files contain. Instead, you want to stick to official app stores like the Google Play Store or official third-party ones like the Amazon Appstore or the Samsung Galaxy Store since they carefully scrutinize every app on their stores for potential threats.

Now that this threat is becoming more serious, it’s likely that Google is working on a way to detect apps injected with malware through Zombinder in Google Play Protect. Until then though, limiting the number of apps on your smartphone and avoiding installing apps you may not necessarily need is the best course of action you can take.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.