If you use your fingerprint instead of your PIN to unlock your phone because it's safer, you're absolutely right. However, hackers have upgraded this Android malware to hijack the best Android phones by disabling both fingerprint and face unlock in order to steal your device's PIN.

As reported by BleepingComputer, the Chameleon banking Trojan recently reappeared online with upgraded features. An older version of this banking Trojan was discovered earlier this year and used to impersonate government agencies, banks, and crypto exchanges.

Hackers also used Chameleon to perform keylogging, inject overlays over popular apps for harvesting credentials, and steal cookies and text messages on compromised phones.

With a PIN in hand, cybercriminals can unlock and access smartphones at any time, making it very easy for them to not only steal sensitive information from smartphones, but also withdraw money from bank accounts and steal from other financial apps.

According to a new report from ThreatFabric, the Chameleon malware is now being distributed through the Zmobinder service, which disguises itself as Google Chrome in order to stay under the radar. [Zmobinder is a malware packer that can add malicious code to legitimate Android apps. The cybercriminals behind this service even claim that its malicious bundles can bypass the best Android antivirus apps as well as Google Play Protect.

In addition to its new distribution method, this upgraded Chameleon variant can display HTML pages on devices running Android 13 or later, allowing potential victims to give the app permission to use the operating system's accessibility services used to prompt them to give permission to the app to use the operating system's accessibility services. The reason this feature was added is that Android 13 includes a security feature called Restricted Settings that blocks accessibility-like permissions that could be abused by malicious apps. Since accessibility is usually blocked, the HTML page manually guides potential victims through the process of enabling this permission.

In addition to this, this new version of the banking Trojan Chameleon is able to interfere with the use of biometrics, such as fingerprint or face unlock, on infected Android smartphones. It also exploits accessibility services to force the use of PINs and passwords to unlock and authenticate devices. From here, the malware captures these PINs and passwords as they are entered and can be used to unlock the infected device at any time later.

Since Chameleon is now also able to schedule tasks through the AlarmManager API, the malware will not work when the infected phone is normally active. This allows the malware to remain hidden and avoid detection.

When services such as Zombinder are in the mix, it becomes very difficult to protect oneself from Android malware. This is because, as mentioned above, Zombinder allows legitimate apps injected with malicious code to bypass detection by both Google Play Protect and antivirus software.

For this reason, we want to avoid this type of dangerous app altogether. The easiest way to do this is to avoid sideloading apps onto your Android smartphone; installing apps as APK files is convenient and fairly fast, but it is very difficult to discern what these files contain. Instead, stick to official app stores like the Google Play Store or third-party official app stores like the Amazon Appstore or Samsung Galaxy Store.

Now that the threat is becoming more serious, Google appears to be working on a way to detect malware-injected apps via Zombinder in Google Play Protect. Until then, however, the best bet is to limit the number of apps on your smartphone and avoid installing apps that you don't necessarily need.