{"description": "Mobile techniques used by Chameleon, ATT&CK software S1083 (v2.0)", "name": "Chameleon (S1083)", "domain": "mobile-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1453", "comment": "After accessibility permissions are granted, [Chameleon](https://attack.mitre.org/software/S1083) has used the Accessibility Service to perform a variety of actions, such as switching from biometric authentication to PIN authentication, automatically granting additional permissions, preventing uninstallation, disabling Play Protect.(Citation: cyble_chameleon_0423)(Citation: ThreatFabric_Chameleon_Dec2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1517", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) has registered as an `SMSBroadcast` receiver to monitor incoming SMS messages.(Citation: cyble_chameleon_0423)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1437", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) has used a SOCKS proxy.(Citation: ThreatFabric_Chameleon_Dec2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1437.001", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) has used HTTP to communicate with the C2 server.(Citation: cyble_chameleon_0423)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1616", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) has the ability to control calls.(Citation: ThreatFabric_Chameleon_Dec2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1533", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) has gathered cookies and device logs.(Citation: cyble_chameleon_0423)(Citation: ThreatFabric_Chameleon_Dec2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1407", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) has the ability to download new code at runtime.(Citation: cyble_chameleon_0423)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1646", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) has sent stolen data over HTTP.(Citation: cyble_chameleon_0423)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1629", "showSubtechniques": true}, {"techniqueID": "T1629.001", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) has prevented application removal by abusing Accessibility Services.(Citation: cyble_chameleon_0423)(Citation: ThreatFabric_Chameleon_Dec2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1629.003", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) has the ability to disable Google Play Protect.(Citation: cyble_chameleon_0423)(Citation: ThreatFabric_Chameleon_Dec2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1630", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) has removed artifacts of its presence and has the ability to uninstall itself.(Citation: cyble_chameleon_0423)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1544", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) has downloaded HTML overlay pages after installation.(Citation: cyble_chameleon_0423)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1417", "showSubtechniques": true}, {"techniqueID": "T1417.001", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) has logged keystrokes of an infected device.(Citation: cyble_chameleon_0423) Additionally, [Chameleon](https://attack.mitre.org/software/S1083) has stolen PINs, passwords and graphical keys through keylogging functionalities.(Citation: ThreatFabric_Chameleon_Dec2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1417.002", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) has performed overlay attacks against a device by injecting HTML phishing pages into a webview.(Citation: cyble_chameleon_0423) [Chameleon](https://attack.mitre.org/software/S1083) has launched overlay attacks through the \u201cInjection\u201d activity.(Citation: ThreatFabric_Chameleon_Dec2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1430", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) has gathered device location data.(Citation: cyble_chameleon_0423)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1461", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) has the ability to bypass the biometric prompt for unlocking an infected device, forcing the victim to use PIN authentication. To do so, [Chameleon](https://attack.mitre.org/software/S1083) will first check specified conditions, then will use the AccessibilityEvent action to transition from biometric authentication to PIN authentication.(Citation: ThreatFabric_Chameleon_Dec2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1655", "showSubtechniques": true}, {"techniqueID": "T1655.001", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) has disguised itself as legitimate applications, such as a cryptocurrency application called \u2018CoinSpot,\u2019 the IKO banking application in Poland, and an application used by the Australian Taxation Office (ATO). It has also used familiar icons, such as the Chrome and Bitcoin logos.(Citation: cyble_chameleon_0423)(Citation: ThreatFabric_Chameleon_Dec2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1575", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) has used the KeyguardManager API to evaluate the device\u2019s locking mechanism and the AlarmManager API to schedule tasks.(Citation: ThreatFabric_Chameleon_Dec2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1509", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) has communicated over port 7242 using HTTP.(Citation: cyble_chameleon_0423)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1660", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) has been distributed using phishing links and a Content Distribution Network (CDN) for file distribution.(Citation: ThreatFabric_Chameleon_Dec2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1636", "showSubtechniques": true}, {"techniqueID": "T1636.004", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) has gathered SMS messages.(Citation: cyble_chameleon_0423)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1603", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) has used the AlarmManager API to schedule tasks.(Citation: ThreatFabric_Chameleon_Dec2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1513", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) has captured the device\u2019s screen.(Citation: ThreatFabric_Chameleon_Dec2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1418", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) has read the name of application packages.(Citation: cyble_chameleon_0423)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1426", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) has the ability to gather basic device information, such as version, model, root status, and country.(Citation: cyble_chameleon_0423) [Chameleon](https://attack.mitre.org/software/S1083) has also checked the restricted settings status of the device. If the Android 13 Restricted Settings status is present, an HTML page with instructions on how to enable the Accessibility Service will be shown to the user. Additionally, [Chameleon](https://attack.mitre.org/software/S1083) has checked the keyguard\u2019s status regarding how the device is locked (e.g. pattern, PIN or password).(Citation: ThreatFabric_Chameleon_Dec2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1633", "showSubtechniques": true}, {"techniqueID": "T1633.001", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) has performed system checks to verify if the device is rooted or has ADB enabled; if found, [Chameleon](https://attack.mitre.org/software/S1083) will avoid execution.(Citation: cyble_chameleon_0423)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Chameleon", "color": "#66b1ff"}]}