Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)

Chameleon is an Android banking trojan that can leverage Android’s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, Chameleon has been observed targeting users in Australia and Poland by masquerading as official apps.(Citation: cyble_chameleon_0423)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Indicator Removal on Host - T1630 (0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
System Checks - T1633.001 (6ffad4be-bfe0-424f-abde-4d9a84a800ad)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Disable or Modify Tools - T1629.003 (2aa78dfd-cb6f-4c70-9408-137cfd96be49)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Non-Standard Port - T1509 (948a447c-d783-4ba0-8516-a64140fcacd5)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Prevent Application Removal - T1629.001 (dc01774a-d1c1-45fb-b506-0a5d1d6593d9)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	1
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a)	Attack Pattern	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	Ingress Tool Transfer - T1544 (2bb20118-e6c0-41dc-a07c-283ea4dd0fb8)	Attack Pattern	1
Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Download New Code at Runtime - T1407 (6c49d50f-494d-4150-b774-a655022d20a6)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	GUI Input Capture - T1417.002 (4c58b7c6-a839-4789-bda9-9de33e4d4512)	Attack Pattern	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	Access Notifications - T1517 (39dd7871-f59b-495f-a9a5-3cb8cc50c9b2)	Attack Pattern	1
System Checks - T1633.001 (6ffad4be-bfe0-424f-abde-4d9a84a800ad)	Attack Pattern	Virtualization/Sandbox Evasion - T1633 (27d18e87-8f32-4be1-b456-39b90454360f)	Attack Pattern	2
Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a)	Attack Pattern	Disable or Modify Tools - T1629.003 (2aa78dfd-cb6f-4c70-9408-137cfd96be49)	Attack Pattern	2
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673)	Attack Pattern	2
Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a)	Attack Pattern	Prevent Application Removal - T1629.001 (dc01774a-d1c1-45fb-b506-0a5d1d6593d9)	Attack Pattern	2
Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc)	Attack Pattern	Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	2
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	2
Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47)	Attack Pattern	Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad)	Attack Pattern	2
Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad)	Attack Pattern	GUI Input Capture - T1417.002 (4c58b7c6-a839-4789-bda9-9de33e4d4512)	Attack Pattern	2