Active since early 2023, the malware initially targeted mobile banking applications in Australia and Poland, but has since expanded its reach to the UK and Italy.

When initially uncovered, ThreatFabric explains, Chameleon used multiple loggers, had limited malicious functionality, and contained various unused commands, suggesting that it was still under development.

Employing a proxy feature and abusing Accessibility Services, it could perform actions on behalf of the victim, allowing attackers to engage in Account Takeover (ATO) and Device Takeover (DTO) attacks, mainly targeting banking and cryptocurrency applications.