S1083: Chameleon

Chameleon matters because it represents mobile banking trojan behavior on Android where user trust, accessibility permissions, and mobile authentication workflows become the control plane. ATT&CK describes it as masquerading as official applications and using Android Accessibility Services, with related behaviors spanning credential/input capture, notification access, screen capture, software and system discovery, C2 over web protocols, persistence/resistance to removal, and data exfiltration. For leaders, the practical issue is whether mobile devices used for banking, workforce identity, or sensitive business workflows are governed and observable enough to detect risky permissions and suspicious app behavior before credential theft or account compromise becomes an incident-response proble

Executive priority

Prioritize Chameleon as a mobile identity and fraud-resilience concern, not only a malware-name concern. The ATT&CK relationships point to risks around accessibility abuse, one-time-code exposure through notifications/SMS, GUI/input capture, and C2-based exfiltration. Executives should ask whether Android devices that access corporate email, finance systems, privileged workflows, or MFA prompts are covered by mobile device management, mobile threat defense, app-source policy, and incident response procedures. Audit and compliance evidence should show that the organization can inventory mobile apps, enforce permission and installation policy, and respond when an app resists removal or interferes with security tools.

Technical view

SOC, detection engineering, and IR teams should validate Android coverage around the behaviors ATT&CK links to Chameleon: Download New Code at Runtime, Keylogging, GUI Input Capture, Software/System Information Discovery, Location Tracking, Web Protocol C2, Abuse Accessibility Features, Lockscreen Bypass, Screen Capture, Access Notifications, SMS collection, local data collection, tool transfer, scheduled jobs, call control, prevention of app removal, disabling/modifying tools, indicator removal, system checks, and exfiltration over C2. Because no official detection text is provided, teams should map local telemetry to these behaviors rather than rely on a single malware signature. The most important validation question is whether mobile controls can surface high-risk permission grants and runtime behavior after installation, especially for apps that appear legitimate or fetch code after installation.

Likely telemetry

Android application inventory and installation source records
Accessibility Service enablement and permission grant events
Notification access, SMS access, call control, location, screen capture, and device administration permission state
Mobile device management or mobile threat defense alerts and policy violations
Application runtime behavior showing dynamic code download or new payload/tool transfer

Detection direction

Start with behavior-based detections for Android accessibility abuse combined with sensitive permissions such as notification, SMS, screen capture, location, call control, or device administrator access.
Correlate suspicious permission grants with app masquerading indicators, installation from untrusted or unusual sources, and post-install dynamic code download behavior.
Tune network detections for mobile endpoints to identify unusual application-layer communications, web-protocol C2 patterns, and non-standard protocol/port pairings without treating all HTTPS mobile traffic as malicious.
Validate whether mobile security tooling reports attempts to prevent app removal, disable or modify tools, or remove indicators; these behaviors can reduce telemetry reliability.
Account for false positives from legitimate accessibility tools, enterprise device-management agents, banking apps, productivity apps, and assistive applications; detections should combine permission context, app reputation/source, and runtime behavior.

Mitigation priorities

Enforce Android app installation policy through managed app stores or approved sources where business-appropriate.
Restrict or alert on high-risk permissions and services, especially Accessibility Services, notification access, SMS access, screen capture, call control, location, and device administrator capabilities.
Use mobile device management and mobile threat defense controls to maintain application inventory, permission posture, compliance state, and remote response capability.
Harden identity workflows that rely on mobile devices by reducing exposure of one-time codes in notifications/SMS where feasible and using phishing-resistant or app-bound authentication where supported by business systems.
Prepare IR procedures for mobile malware cases, including device isolation, evidence preservation, credential/session revocation, and safe removal or re-enrollment when an app resists uninstall.

Analyst notes and limits

This take is based on the supplied ATT&CK S1083 Chameleon object and its relationships. The object is in the mobile ATT&CK domain, platform Android, and is described as an Android banking trojan that can use Accessibility Services and masquerade as official applications. The relationship set is broad and materially useful for defensive planning because it identifies the behaviors teams should validate across mobile telemetry, identity workflows, and incident response.

MITRE supplied no official detection text, no aliases, no labels, and no tactics for this object in the provided fields. The referenced targeting geographies and activity timing come from the official description and citations, but this response does not assert current activity, attribution, customer exposure, or guaranteed detectability. Local device-management coverage, BYOD policy, privacy constraints, app inventory, and mobile telemetry determine actual risk and detection feasibility.

Official MITRE ATT&CK definition

Chameleon

Chameleon is an Android banking trojan that can leverage Android’s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, Chameleon has been observed targeting users in Australia and Poland by masquerading as official applications. A new variant of Chameleon has expanded its targets to include Android users in the United Kingdom and Italy.[1][2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 26 rows

Domain	ID	Name	Relationship / procedure
Mobile	T1575	Native API	Chameleon has used the KeyguardManager API to evaluate the device’s locking mechanism and the AlarmManager API to schedule tasks.[2]
Mobile	T1630	Indicator Removal on Host	Chameleon has removed artifacts of its presence and has the ability to uninstall itself.[1]
Mobile	T1426	System Information Discovery	Chameleon has the ability to gather basic device information, such as version, model, root status, and country.[1] Chameleon has also checked the restricted settings status of the device. If the Android 13 Restricted Settings status is present, an HTML page with instructions on how to enable the Accessibility Service will be shown to the user. Additionally, Chameleon has checked the keyguard’s status regarding how the device is locked (e.g. pattern, PIN or password).[2]
Mobile	T1453	Abuse Accessibility Features	After accessibility permissions are granted, Chameleon has used the Accessibility Service to perform a variety of actions, such as switching from biometric authentication to PIN authentication, automatically granting additional permissions, preventing uninstallation, disabling Play Protect.[1][2]
Mobile	T1533	Data from Local System	Chameleon has gathered cookies and device logs.[1][2]
Mobile	T1603	Scheduled Task/Job	Chameleon has used the AlarmManager API to schedule tasks.[2]
Mobile	T1616	Call Control	Chameleon has the ability to control calls.[2]
Mobile	T1660	Phishing	Chameleon has been distributed using phishing links and a Content Distribution Network (CDN) for file distribution.[2]
Mobile	T1544	Ingress Tool Transfer	Chameleon has downloaded HTML overlay pages after installation.[1]
Mobile	T1633.001	System Checks Sub-technique	Chameleon has performed system checks to verify if the device is rooted or has ADB enabled; if found, Chameleon will avoid execution.[1]
Mobile	T1437	Application Layer Protocol	Chameleon has used a SOCKS proxy.[2]
Mobile	T1437.001	Web Protocols Sub-technique	Chameleon has used HTTP to communicate with the C2 server.[1]
Mobile	T1509	Non-Standard Port	Chameleon has communicated over port 7242 using HTTP.[1]
Mobile	T1430	Location Tracking	Chameleon has gathered device location data.[1]
Mobile	T1646	Exfiltration Over C2 Channel	Chameleon has sent stolen data over HTTP.[1]
Mobile	T1655.001	Match Legitimate Name or Location Sub-technique	Chameleon has disguised itself as legitimate applications, such as a cryptocurrency application called ‘CoinSpot,’ the IKO banking application in Poland, and an application used by the Australian Taxation Office (ATO). It has also used familiar icons, such as the Chrome and Bitcoin logos.[1][2]
Mobile	T1517	Access Notifications	Chameleon has registered as an `SMSBroadcast` receiver to monitor incoming SMS messages.[1]
Mobile	T1418	Software Discovery	Chameleon has read the name of application packages.[1]
Mobile	T1636.004	SMS Messages Sub-technique	Chameleon has gathered SMS messages.[1]
Mobile	T1417.002	GUI Input Capture Sub-technique	Chameleon has performed overlay attacks against a device by injecting HTML phishing pages into a webview.[1] Chameleon has launched overlay attacks through the “Injection” activity.[2]
Mobile	T1417.001	Keylogging Sub-technique	Chameleon has logged keystrokes of an infected device.[1] Additionally, Chameleon has stolen PINs, passwords and graphical keys through keylogging functionalities.[2]
Mobile	T1513	Screen Capture	Chameleon has captured the device’s screen.[2]
Mobile	T1629.001	Prevent Application Removal Sub-technique	Chameleon has prevented application removal by abusing Accessibility Services.[1][2]
Mobile	T1407	Download New Code at Runtime	Chameleon has the ability to download new code at runtime.[1]
Mobile	T1461	Lockscreen Bypass	Chameleon has the ability to bypass the biometric prompt for unlocking an infected device, forcing the victim to use PIN authentication. To do so, Chameleon will first check specified conditions, then will use the AccessibilityEvent action to transition from biometric authentication to PIN authentication.[2]
Mobile	T1629.003	Disable or Modify Tools Sub-technique	Chameleon has the ability to disable Google Play Protect.[1][2]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 2.0
Created: Aug 16, 2023, 16:30 UTC (UTC+00:00)
Modified: Oct 24, 2025, 03:53 UTC (UTC+00:00)
Raw hash: 44cf07b1079604a9...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	Jun 3, 2026, 07:54 UTC (UTC+00:00)	2.0	Oct 24, 2025, 03:53 UTC (UTC+00:00)	Current bundle	`44cf07b10796…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
cyble_chameleon_0423

Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.
Open source URL
[2]
ThreatFabric_Chameleon_Dec2023

ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.
Open source URL
[3]
mitre-attack S1083
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams