Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)

Chameleon is an Android banking trojan that can leverage Android’s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, Chameleon has been observed targeting users in Australia and Poland by masquerading as official applications. A new variant of Chameleon has expanded its targets to include Android users in the United Kingdom and Italy.(Citation: cyble_chameleon_0423)(Citation: ThreatFabric_Chameleon_Dec2023)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Screen Capture - T1513 (73c26732-6422-4081-8b63-6d0ae93d449e)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Ingress Tool Transfer - T1544 (2bb20118-e6c0-41dc-a07c-283ea4dd0fb8)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Non-Standard Port - T1509 (948a447c-d783-4ba0-8516-a64140fcacd5)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	GUI Input Capture - T1417.002 (4c58b7c6-a839-4789-bda9-9de33e4d4512)	Attack Pattern	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77)	Attack Pattern	1
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	1
Lockscreen Bypass - T1461 (dfe29258-ce59-421c-9dee-e85cb9fa90cd)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Prevent Application Removal - T1629.001 (dc01774a-d1c1-45fb-b506-0a5d1d6593d9)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	Scheduled Task/Job - T1603 (00290ac5-551e-44aa-bbd8-c4b913488a6d)	Attack Pattern	1
Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	Access Notifications - T1517 (39dd7871-f59b-495f-a9a5-3cb8cc50c9b2)	Attack Pattern	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	Phishing - T1660 (defc1257-4db1-4fb3-8ef5-bb77f63146df)	Attack Pattern	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	Call Control - T1616 (351ddf79-2d3a-41b4-9bef-82ea5d3ccd69)	Attack Pattern	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	Abuse Accessibility Features - T1453 (2204c371-6100-4ae0-82f3-25c07c29772a)	Attack Pattern	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	Native API - T1575 (52eff1c7-dd30-4121-b762-24ae6fa61bbb)	Attack Pattern	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47)	Attack Pattern	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	Indicator Removal on Host - T1630 (0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d)	Attack Pattern	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	System Checks - T1633.001 (6ffad4be-bfe0-424f-abde-4d9a84a800ad)	Attack Pattern	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	Disable or Modify Tools - T1629.003 (2aa78dfd-cb6f-4c70-9408-137cfd96be49)	Attack Pattern	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673)	Attack Pattern	1
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	Download New Code at Runtime - T1407 (6c49d50f-494d-4150-b774-a655022d20a6)	Attack Pattern	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc)	Attack Pattern	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4)	Attack Pattern	1
Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad)	Attack Pattern	GUI Input Capture - T1417.002 (4c58b7c6-a839-4789-bda9-9de33e4d4512)	Attack Pattern	2
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc)	Attack Pattern	2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	2
Prevent Application Removal - T1629.001 (dc01774a-d1c1-45fb-b506-0a5d1d6593d9)	Attack Pattern	Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a)	Attack Pattern	2
Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad)	Attack Pattern	Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47)	Attack Pattern	2
Virtualization/Sandbox Evasion - T1633 (27d18e87-8f32-4be1-b456-39b90454360f)	Attack Pattern	System Checks - T1633.001 (6ffad4be-bfe0-424f-abde-4d9a84a800ad)	Attack Pattern	2
Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a)	Attack Pattern	Disable or Modify Tools - T1629.003 (2aa78dfd-cb6f-4c70-9408-137cfd96be49)	Attack Pattern	2
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673)	Attack Pattern	2