‘Chameleon’ Android banking trojan can bypass biometric auth

Dec 25 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that worries that cybercriminals see you when you're sleeping. They know when you're awake… ???????? Merry Christmas everyone but don’t forget, cybercrime doesn’t take a day off ????????????????????

Today’s hottest cybersecurity news stories:

  • ???? ‘Chameleon’ Android banking trojan can bypass biometric auth ????

  • ???? Predator spyware is back and this time it’s reboot-proof in Android ????

  • ⚠️ Microsoft warns of FalseFont backdoor targeting the defence sector ????‍????

Karma karma karma karma karma Chameleon, Trojan and go, Trojan and go ????????????

???? Security Alert: Chameleon Banking Trojan Strikes Again! ????

Cybersecurity researchers have uncovered an upgraded version of the Android banking malware, Chameleon, now targeting users in the U.K. and Italy. This evolved variant excels in Device Takeover (DTO), expanding its reach beyond Australia and Poland.

????️ How Does it Work?

Chameleon abuses Android's accessibility service, harvesting sensitive data and conducting overlay attacks. Initially found on phishing pages impersonating institutions, the malware is now delivered through Zombinder, a dropper service resurfaced last month.

????️ Protection Measures

Google Play Protect defends against Chameleon, but users are urged to stay vigilant. The malware tricks users into enabling accessibility services, especially on Android 13 or later. It now disrupts biometric operations using Android APIs, transitioning lock screens to PIN.

???? Evolution of Threats

The Chameleon's resurgence highlights the dynamic Android threat landscape. Google notes increased resilience and advanced features, reflecting a broader trend of 29 malware families targeting 1,800 banking apps globally over the past year.

???? Top Targets

Traditional banking apps remain prime targets, with the U.S., U.K., and Italy leading. Notable apps include Bank of America, Barclays, and Binance. The evolving landscape includes new threats like Nexus, Godfather, and PixBankBot.

???? Stay Safe

Regularly update your device, use reputable security apps, and avoid downloading apps from untrusted sources. Be cautious of unexpected requests for accessibility settings.

Remember, awareness is the key to a safer digital experience! ????️????

Learn AI in 5 minutes a day. We'll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.

Where’s Alien when you need him, eh? ????????????

???? Insider Intel: Predator Spyware's Evolution! ????️‍♂️

Cisco Talos researchers have unveiled a surprising update on the Predator spyware, revealing a new "add-on feature" that allows it to persist between reboots. This capability, previously absent in 2021, is now offered based on customer licensing options, showcasing the spyware's adaptability.

???? Intellexa Alliance's Creation

Predator, born from the Intellexa Alliance consortium, includes entities like Cytrox and Nexa Technologies. Notably, both Cytrox and Intellexa faced U.S. sanctions in July 2023 for "trafficking in cyber exploits." Predator's seamless functioning relies on its symbiotic relationship with the loader component Alien.

???? Pricing and Accessibility

Operating as a "remote mobile extraction system," Predator targets Android and iOS with a licensing model in the millions. This hefty price tag keeps it out of reach for novice criminals, emphasising its sophistication.

???? Adapting to Security Measures

As Apple and Google tighten security, spywares like Predator and Pegasus adapt by seeking zero-day exploits. However, Intellexa's unique approach involves offloading attack infrastructure setup to customers, providing plausible deniability.

???? Global Operations

Intellexa maintains geographical restrictions tied to licences, with customers operating within a specific country code prefix. Yet, for an extra fee, this constraint can be loosened.

???? The Need for Transparency

Despite public exposure, offensive actors like Intellexa continue to thrive globally. Researchers emphasise the importance of public disclosures, enabling scrutiny and driving detection efforts, ultimately imposing development costs on spyware vendors.

????️ Stay Informed, Stay Secure! Keep up with the ever-evolving world of cybersecurity. ????????

???? Catch of the Day!! ????????????

???? The Motley Fool: “Fool me once, shame on — shame on you. Fool me — you can't get fooled again.” Good ol’ George Dubya ???? Let us tell who’s not fooling around though; that’s the Crüe ???? at Motley Fool. You’d be a fool (alright, enough already! ????) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! ???? Kidding aside, if you check out their website they’ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets ???? (LINK)


???? Wander: Find your happy place. Cue Happy Gilmore flashback ????️⛳????????️ Mmmm Happy Place… ???? So, we’ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, it’s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway ????️???? (LINK)


???? Digital Ocean: If you build it they will come. Nope, we’re not talking about a baseball field for ghosts ???????? (Great movie, to be fair ????). This is the Digital Ocean who’ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website you’ll find yourself catching the buzz even if you can’t code (guilty ????). But if you can and you’re looking for somewhere to test things out or launch something new or simply enhance what you’ve got, we’d recommend checking out their services fo’ sho ???? And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! ???? (LINK)

Microsoft says: Font be fooled ????????????

???? Iranian Actor Targets Defense Sector with 'FalseFont' Backdoor! ????

In the ongoing saga of cybersecurity, Microsoft has identified a new danger – an Iranian threat actor aiming at the Defense Industrial Base (DIB) sector. This campaign introduces a never-seen-before backdoor named 'FalseFont.'

???? FalseFont Backdoor Unveiled

Microsoft's Threat Intelligence team reveals that FalseFont is a custom backdoor armed with diverse functionalities, granting remote access, file launches, and data transmission to its command-and-control servers. The first sighting dates back to November 2023.

???? Peach Sandstorm Strikes Again

Microsoft associates this campaign with Peach Sandstorm (AP33, Elfin), noting its evolution in threat actor tradecraft.

The group was previously linked to password spray attacks targeting satellite, defence, and pharmaceutical sectors globally.

Peach Sandstorm, with roots traced back to 2013, continues its mission to gather intelligence supporting Iranian state interests.

???? Phishing Alert

As tensions rise, the Israel National Cyber Directorate accuses Iran and Hezbollah of unsuccessful attempts to target Ziv Hospital. Meanwhile, a phishing campaign leverages a fake advisory to deliver wiper malware, exploiting a critical F5 BIG-IP flaw.

????️ Stay Vigilant

Cyber threats persist, but awareness is our best defence. Regularly update systems, employ robust security measures, and remain cautious of phishing attempts.

???? Keep Watch for Further Updates! Cybersecurity remains a collective effort. ????????

And Merry Christmas again cyber squad! ????????????????❄️????☃️????????????

Thanks for sticking with us and have a great holiday… But don’t worry we’ll be back tomorrow and all through the break to keep you safe and secure ????????????

????️ Extra, Extra! Read all about it!

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • The GeekAI: A daily 3 min newsletter on what matters in AI, with all the new AI things coming to market its good to stay ahead of the curve.

  • Libby Copa: The Rebel Newsletter helps writers strengthen their writing and creative practice, navigate the publishing world, and turn their art into an act of rebellion.

  • Techspresso: Receive a daily summary of the most important AI and Tech news, selected from 50+ media outlets (The Verge, Wired, Tech Crunch etc)

Let us know what you think!

So long and thanks for reading all the phish!

Recent articles