Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)

Chameleon is an Android banking trojan that can leverage Android’s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, Chameleon has been observed targeting users in Australia and Poland by masquerading as official applications. A new variant of Chameleon has expanded its targets to include Android users in the United Kingdom and Italy.(Citation: cyble_chameleon_0423)(Citation: ThreatFabric_Chameleon_Dec2023)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Screen Capture - T1513 (73c26732-6422-4081-8b63-6d0ae93d449e)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Indicator Removal on Host - T1630 (0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Disable or Modify Tools - T1629.003 (2aa78dfd-cb6f-4c70-9408-137cfd96be49)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Non-Standard Port - T1509 (948a447c-d783-4ba0-8516-a64140fcacd5)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Ingress Tool Transfer - T1544 (2bb20118-e6c0-41dc-a07c-283ea4dd0fb8)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Download New Code at Runtime - T1407 (6c49d50f-494d-4150-b774-a655022d20a6)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Lockscreen Bypass - T1461 (dfe29258-ce59-421c-9dee-e85cb9fa90cd)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Scheduled Task/Job - T1603 (00290ac5-551e-44aa-bbd8-c4b913488a6d)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
GUI Input Capture - T1417.002 (4c58b7c6-a839-4789-bda9-9de33e4d4512)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Phishing - T1660 (defc1257-4db1-4fb3-8ef5-bb77f63146df)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Access Notifications - T1517 (39dd7871-f59b-495f-a9a5-3cb8cc50c9b2)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Prevent Application Removal - T1629.001 (dc01774a-d1c1-45fb-b506-0a5d1d6593d9)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	Call Control - T1616 (351ddf79-2d3a-41b4-9bef-82ea5d3ccd69)	Attack Pattern	1
Native API - T1575 (52eff1c7-dd30-4121-b762-24ae6fa61bbb)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
System Checks - T1633.001 (6ffad4be-bfe0-424f-abde-4d9a84a800ad)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Abuse Accessibility Features - T1453 (2204c371-6100-4ae0-82f3-25c07c29772a)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673)	Attack Pattern	Chameleon - S1083 (2cf00c5a-857d-4cb6-8f03-82f15bee0f6f)	Malware	1
Disable or Modify Tools - T1629.003 (2aa78dfd-cb6f-4c70-9408-137cfd96be49)	Attack Pattern	Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a)	Attack Pattern	2
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	2
GUI Input Capture - T1417.002 (4c58b7c6-a839-4789-bda9-9de33e4d4512)	Attack Pattern	Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad)	Attack Pattern	2
Prevent Application Removal - T1629.001 (dc01774a-d1c1-45fb-b506-0a5d1d6593d9)	Attack Pattern	Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a)	Attack Pattern	2
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc)	Attack Pattern	2
Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad)	Attack Pattern	Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47)	Attack Pattern	2
System Checks - T1633.001 (6ffad4be-bfe0-424f-abde-4d9a84a800ad)	Attack Pattern	Virtualization/Sandbox Evasion - T1633 (27d18e87-8f32-4be1-b456-39b90454360f)	Attack Pattern	2
Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673)	Attack Pattern	Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	2