Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)

Chameleon is an Android banking trojan that can leverage Android’s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, Chameleon has been observed targeting users in Australia and Poland by masquerading as official applications. A new variant of Chameleon has expanded its targets to include Android users in the United Kingdom and Italy.(Citation: cyble_chameleon_0423)(Citation: ThreatFabric_Chameleon_Dec2023)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a)	Attack Pattern	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	Phishing - T1660 (defc1257-4db1-4fb3-8ef5-bb77f63146df)	Attack Pattern	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	Access Notifications - T1517 (39dd7871-f59b-495f-a9a5-3cb8cc50c9b2)	Attack Pattern	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	Prevent Application Removal - T1629.001 (dc01774a-d1c1-45fb-b506-0a5d1d6593d9)	Attack Pattern	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	1
Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	Call Control - T1616 (351ddf79-2d3a-41b4-9bef-82ea5d3ccd69)	Attack Pattern	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	Native API - T1575 (52eff1c7-dd30-4121-b762-24ae6fa61bbb)	Attack Pattern	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	System Checks - T1633.001 (6ffad4be-bfe0-424f-abde-4d9a84a800ad)	Attack Pattern	1
Abuse Accessibility Features - T1453 (2204c371-6100-4ae0-82f3-25c07c29772a)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4)	Attack Pattern	1
Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	Screen Capture - T1513 (73c26732-6422-4081-8b63-6d0ae93d449e)	Attack Pattern	1
Indicator Removal on Host - T1630 (0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Disable or Modify Tools - T1629.003 (2aa78dfd-cb6f-4c70-9408-137cfd96be49)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	Non-Standard Port - T1509 (948a447c-d783-4ba0-8516-a64140fcacd5)	Attack Pattern	1
Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	Ingress Tool Transfer - T1544 (2bb20118-e6c0-41dc-a07c-283ea4dd0fb8)	Attack Pattern	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	Download New Code at Runtime - T1407 (6c49d50f-494d-4150-b774-a655022d20a6)	Attack Pattern	1
Lockscreen Bypass - T1461 (dfe29258-ce59-421c-9dee-e85cb9fa90cd)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2)	Attack Pattern	1
GUI Input Capture - T1417.002 (4c58b7c6-a839-4789-bda9-9de33e4d4512)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Scheduled Task/Job - T1603 (00290ac5-551e-44aa-bbd8-c4b913488a6d)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a)	Attack Pattern	Prevent Application Removal - T1629.001 (dc01774a-d1c1-45fb-b506-0a5d1d6593d9)	Attack Pattern	2
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc)	Attack Pattern	2
Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad)	Attack Pattern	Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47)	Attack Pattern	2
Virtualization/Sandbox Evasion - T1633 (27d18e87-8f32-4be1-b456-39b90454360f)	Attack Pattern	System Checks - T1633.001 (6ffad4be-bfe0-424f-abde-4d9a84a800ad)	Attack Pattern	2
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673)	Attack Pattern	2
Disable or Modify Tools - T1629.003 (2aa78dfd-cb6f-4c70-9408-137cfd96be49)	Attack Pattern	Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a)	Attack Pattern	2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	2
GUI Input Capture - T1417.002 (4c58b7c6-a839-4789-bda9-9de33e4d4512)	Attack Pattern	Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad)	Attack Pattern	2