S1083: Chameleon
Chameleon is an Android banking trojan that can leverage Android’s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, Chameleon has been observed targeting users in Australia and Poland by masquerading as official applications. A new variant of Chameleon has expanded its targets to include Android users in the United Kingdom and Italy.[1][2]
Analyst context for executives and security teams
Chameleon matters because it represents mobile banking trojan behavior on Android where user trust, accessibility permissions, and mobile authentication workflows become the control plane. ATT&CK describes it as masquerading as official applications and using Android Accessibility Services, with related behaviors spanning credential/input capture, notification access, screen capture, software and system discovery, C2 over web protocols, persistence/resistance to removal, and data exfiltration. For leaders, the practical issue is whether mobile devices used for banking, workforce identity, or sensitive business workflows are governed and observable enough to detect risky permissions and suspicious app behavior before credential theft or account compromise becomes an incident-response proble
Executive priority
Prioritize Chameleon as a mobile identity and fraud-resilience concern, not only a malware-name concern. The ATT&CK relationships point to risks around accessibility abuse, one-time-code exposure through notifications/SMS, GUI/input capture, and C2-based exfiltration. Executives should ask whether Android devices that access corporate email, finance systems, privileged workflows, or MFA prompts are covered by mobile device management, mobile threat defense, app-source policy, and incident response procedures. Audit and compliance evidence should show that the organization can inventory mobile apps, enforce permission and installation policy, and respond when an app resists removal or interferes with security tools.
Technical view
SOC, detection engineering, and IR teams should validate Android coverage around the behaviors ATT&CK links to Chameleon: Download New Code at Runtime, Keylogging, GUI Input Capture, Software/System Information Discovery, Location Tracking, Web Protocol C2, Abuse Accessibility Features, Lockscreen Bypass, Screen Capture, Access Notifications, SMS collection, local data collection, tool transfer, scheduled jobs, call control, prevention of app removal, disabling/modifying tools, indicator removal, system checks, and exfiltration over C2. Because no official detection text is provided, teams should map local telemetry to these behaviors rather than rely on a single malware signature. The most important validation question is whether mobile controls can surface high-risk permission grants and runtime behavior after installation, especially for apps that appear legitimate or fetch code after installation.
Likely telemetry
- Android application inventory and installation source records
- Accessibility Service enablement and permission grant events
- Notification access, SMS access, call control, location, screen capture, and device administration permission state
- Mobile device management or mobile threat defense alerts and policy violations
- Application runtime behavior showing dynamic code download or new payload/tool transfer
Detection direction
- Start with behavior-based detections for Android accessibility abuse combined with sensitive permissions such as notification, SMS, screen capture, location, call control, or device administrator access.
- Correlate suspicious permission grants with app masquerading indicators, installation from untrusted or unusual sources, and post-install dynamic code download behavior.
- Tune network detections for mobile endpoints to identify unusual application-layer communications, web-protocol C2 patterns, and non-standard protocol/port pairings without treating all HTTPS mobile traffic as malicious.
- Validate whether mobile security tooling reports attempts to prevent app removal, disable or modify tools, or remove indicators; these behaviors can reduce telemetry reliability.
- Account for false positives from legitimate accessibility tools, enterprise device-management agents, banking apps, productivity apps, and assistive applications; detections should combine permission context, app reputation/source, and runtime behavior.
Mitigation priorities
- Enforce Android app installation policy through managed app stores or approved sources where business-appropriate.
- Restrict or alert on high-risk permissions and services, especially Accessibility Services, notification access, SMS access, screen capture, call control, location, and device administrator capabilities.
- Use mobile device management and mobile threat defense controls to maintain application inventory, permission posture, compliance state, and remote response capability.
- Harden identity workflows that rely on mobile devices by reducing exposure of one-time codes in notifications/SMS where feasible and using phishing-resistant or app-bound authentication where supported by business systems.
- Prepare IR procedures for mobile malware cases, including device isolation, evidence preservation, credential/session revocation, and safe removal or re-enrollment when an app resists uninstall.
Analyst notes and limits
This take is based on the supplied ATT&CK S1083 Chameleon object and its relationships. The object is in the mobile ATT&CK domain, platform Android, and is described as an Android banking trojan that can use Accessibility Services and masquerade as official applications. The relationship set is broad and materially useful for defensive planning because it identifies the behaviors teams should validate across mobile telemetry, identity workflows, and incident response.
MITRE supplied no official detection text, no aliases, no labels, and no tactics for this object in the provided fields. The referenced targeting geographies and activity timing come from the official description and citations, but this response does not assert current activity, attribution, customer exposure, or guaranteed detectability. Local device-management coverage, BYOD policy, privacy constraints, app inventory, and mobile telemetry determine actual risk and detection feasibility.
Chameleon
Chameleon is an Android banking trojan that can leverage Android’s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, Chameleon has been observed targeting users in Australia and Poland by masquerading as official applications. A new variant of Chameleon has expanded its targets to include Android users in the United Kingdom and Italy.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1575 | Native API | Chameleon has used the KeyguardManager API to evaluate the device’s locking mechanism and the AlarmManager API to schedule tasks.CitationThreatFabric_Chameleon_Dec2023 |
| Mobile | T1630 | Indicator Removal on Host | Chameleon has removed artifacts of its presence and has the ability to uninstall itself.Citationcyble_chameleon_0423 |
| Mobile | T1426 | System Information Discovery | Chameleon has the ability to gather basic device information, such as version, model, root status, and country.Citationcyble_chameleon_0423 Chameleon has also checked the restricted settings status of the device. If the Android 13 Restricted Settings status is present, an HTML page with instructions on how to enable the Accessibility Service will be shown to the user. Additionally, Chameleon has checked the keyguard’s status regarding how the device is locked (e.g. pattern, PIN or password).CitationThreatFabric_Chameleon_Dec2023 |
| Mobile | T1453 | Abuse Accessibility Features | After accessibility permissions are granted, Chameleon has used the Accessibility Service to perform a variety of actions, such as switching from biometric authentication to PIN authentication, automatically granting additional permissions, preventing uninstallation, disabling Play Protect.Citationcyble_chameleon_0423CitationThreatFabric_Chameleon_Dec2023 |
| Mobile | T1533 | Data from Local System | Chameleon has gathered cookies and device logs.Citationcyble_chameleon_0423CitationThreatFabric_Chameleon_Dec2023 |
| Mobile | T1603 | Scheduled Task/Job | Chameleon has used the AlarmManager API to schedule tasks.CitationThreatFabric_Chameleon_Dec2023 |
| Mobile | T1616 | Call Control | Chameleon has the ability to control calls.CitationThreatFabric_Chameleon_Dec2023 |
| Mobile | T1660 | Phishing | Chameleon has been distributed using phishing links and a Content Distribution Network (CDN) for file distribution.CitationThreatFabric_Chameleon_Dec2023 |
| Mobile | T1544 | Ingress Tool Transfer | Chameleon has downloaded HTML overlay pages after installation.Citationcyble_chameleon_0423 |
| Mobile | T1633.001 | System Checks Sub-technique | |
| Mobile | T1437 | Application Layer Protocol | Chameleon has used a SOCKS proxy.CitationThreatFabric_Chameleon_Dec2023 |
| Mobile | T1437.001 | Web Protocols Sub-technique | Chameleon has used HTTP to communicate with the C2 server.Citationcyble_chameleon_0423 |
| Mobile | T1509 | Non-Standard Port | Chameleon has communicated over port 7242 using HTTP.Citationcyble_chameleon_0423 |
| Mobile | T1430 | Location Tracking | Chameleon has gathered device location data.Citationcyble_chameleon_0423 |
| Mobile | T1646 | Exfiltration Over C2 Channel | Chameleon has sent stolen data over HTTP.Citationcyble_chameleon_0423 |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | Chameleon has disguised itself as legitimate applications, such as a cryptocurrency application called ‘CoinSpot,’ the IKO banking application in Poland, and an application used by the Australian Taxation Office (ATO). It has also used familiar icons, such as the Chrome and Bitcoin logos.Citationcyble_chameleon_0423CitationThreatFabric_Chameleon_Dec2023 |
| Mobile | T1517 | Access Notifications | Chameleon has registered as an `SMSBroadcast` receiver to monitor incoming SMS messages.Citationcyble_chameleon_0423 |
| Mobile | T1418 | Software Discovery | Chameleon has read the name of application packages.Citationcyble_chameleon_0423 |
| Mobile | T1636.004 | SMS Messages Sub-technique | Chameleon has gathered SMS messages.Citationcyble_chameleon_0423 |
| Mobile | T1417.002 | GUI Input Capture Sub-technique | |
| Mobile | T1417.001 | Keylogging Sub-technique | |
| Mobile | T1513 | Screen Capture | Chameleon has captured the device’s screen.CitationThreatFabric_Chameleon_Dec2023 |
| Mobile | T1629.001 | Prevent Application Removal Sub-technique | Chameleon has prevented application removal by abusing Accessibility Services.Citationcyble_chameleon_0423CitationThreatFabric_Chameleon_Dec2023 |
| Mobile | T1407 | Download New Code at Runtime | Chameleon has the ability to download new code at runtime.Citationcyble_chameleon_0423 |
| Mobile | T1461 | Lockscreen Bypass | Chameleon has the ability to bypass the biometric prompt for unlocking an infected device, forcing the victim to use PIN authentication. To do so, Chameleon will first check specified conditions, then will use the AccessibilityEvent action to transition from biometric authentication to PIN authentication.CitationThreatFabric_Chameleon_Dec2023 |
| Mobile | T1629.003 | Disable or Modify Tools Sub-technique | Chameleon has the ability to disable Google Play Protect.Citationcyble_chameleon_0423CitationThreatFabric_Chameleon_Dec2023 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 44cf07b10796… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
cyble_chameleon_0423
Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.
Open source URL -
[2]
ThreatFabric_Chameleon_Dec2023
ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.
Open source URL -
[3]
mitre-attack S1083Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.