Your pin can be stolen by Chameleon Android malware by turning off fingerprint unlock

Don’t let anything happen to you.

While your fingerprint is traditionally considered a unique identifier, its reliability in safeguarding personal information is facing a new challenge. The latest iteration of the Chameleon Android malware is purportedly capable of circumventing fingerprint security measures, posing a threat to the confidentiality of your PIN.

As per findings from ThreatFabric researchers, the malware employs a cunning tactic by deceiving users into enabling accessibility services. Subsequently, this enables attackers to shift the device’s security setting from a biometric (fingerprint) to a PIN lock. The modus operandi, as detailed by Bleeping Computer, involves masquerading as legitimate Android applications and presenting an HTML page that prompts users to activate accessibility settings.

This strategic move allows the malware to circumvent security safeguards, including fingerprint unlock. Once the victim opts for PIN-based login instead of using their fingerprint, the attackers can illicitly capture and steal the entered PIN or any associated passwords.

Individuals must exercise caution when utilizing applications, especially those related to sensitive activities like banking. Verifying the legitimacy of apps becomes crucial in light of these developments.

Also Read | Humane launches AI Pin, a wearable powered by OpenAI

ThreatFabric emphasized, “These enhancements elevate the sophistication and adaptability of the new Chameleon variant, making it a more potent threat in the ever-evolving landscape of mobile banking trojans.”

Bleeping Computer highlighted that the primary distribution channel for the malware appears to be Android package files (APKs) sourced from unofficial channels. This underscores the importance of obtaining applications from official and trusted sources to mitigate the risk of encountering malicious software.

Also Read | iOS 17.3 will include a new anti-theft feature from Apple