Tuesday, Dec 26, 2023

New Android malware can steal your password by disabling fingerprint and face unlock

Dubbed 'Chameleon Trojan', the malware uses the 'Accessibility service' on Android devices to disable fingerprint and face unlock and even tracks the user's app usage habits so it can run when the device is not in use.

Chameleon Trojan | Android malware | Android fingerprint disabling malwareChameleon Trojan can also evade detection by malware scanning apps. (Image Source: Bing Image Creator)

Security researchers have a new version of the ‘Chameleon Trojan’ malware that can disable biometric authentication methods like fingerprint and face unlock to steal your phone’s PIN.

According to ThreatFabric, a cybersecurity company tracking the malware since its discovery earlier this year, Cameleon Trojan attaches itself to legitimate Android apps like Google Chrome to avoid detection and runs the code in the background.

A recent report by Bleeping Computer also says that the threat actors working on the malware claim that Cameleon Trojan bundles are undetectable in runtime, allowing it to bypass Google Protect alerts and security software running on the device.


On Android 12 and previous versions, the malware uses the Accessibility service to gain unauthorised access but works a bit differently on newer versions of the operating system due to Google’s new security restrictions.

Chameleon Trojan This is what the HTML prompt looks like. (Image Source: ThreatFabric)

Since the ‘accessibility service’ is locked behind a new ‘Restricted setting’ option, Chameleon Trojan shows an HTML page with instructions on how to enable the service for the app, allowing it to bypass the device’s security mechanisms.

Festive offer

It steals on-screen content, gives itself more permission and can even navigate using gestures to capture any PINs and passwords users enter to unlock the device. Chameleon Trojan then uses the stolen PIN to unlock the device in the background and steal more sensitive information like credit card passwords, login credentials and more.

Researchers also say that the malware collects information on app usage habits to determine when the user is using their device and launch attacks when they are least likely to use it.


To protect yourself from Chameleon Trojan, avoid installing Android apps from unofficial sources and make sure you don’t enable the ‘Accessibility service’ for unknown apps. Cybersecurity researchers also suggest users run security scans at regular intervals and keep Google Play Protect enabled at all times.

First published on: 26-12-2023 at 10:47 IST
Latest Comment
Post Comment
Read Comments