{"description": "Mobile techniques used by Chameleon, ATT&CK software S1083 (v1.0)", "name": "Chameleon (S1083)", "domain": "mobile-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1517", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) can register as an `SMSBroadcast` receiver to monitor incoming SMS messages.(Citation: cyble_chameleon_0423)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1437", "showSubtechniques": true}, {"techniqueID": "T1437.001", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) can use HTTP to communicate with the C2 server.(Citation: cyble_chameleon_0423)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1533", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) can gather cookies and device logs.(Citation: cyble_chameleon_0423) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1407", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) can download new code at runtime.(Citation: cyble_chameleon_0423)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1646", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) can send stolen data over HTTP.(Citation: cyble_chameleon_0423)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1629", "showSubtechniques": true}, {"techniqueID": "T1629.001", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) can prevent application removal by abusing Accessibility Services.(Citation: cyble_chameleon_0423)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1629.003", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) can disable Google Play Protect.(Citation: cyble_chameleon_0423)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1630", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) can remove artifacts of its presence and uninstall itself.(Citation: cyble_chameleon_0423)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1544", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) can download HTML overlay pages after installation.(Citation: cyble_chameleon_0423)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1417", "showSubtechniques": true}, {"techniqueID": "T1417.001", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) can log keystrokes and gather the lock screen password of an infected device by abusing Accessibility Services.(Citation: cyble_chameleon_0423)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1417.002", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) can perform overlay attacks against a device by injecting HTML phishing pages into a webview.(Citation: cyble_chameleon_0423)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1430", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) can gather device location data.(Citation: cyble_chameleon_0423)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1655", "showSubtechniques": true}, {"techniqueID": "T1655.001", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) has disguised itself as other applications, such as a cryptocurrency app called \u2018CoinSpot\u2019, and IKO bank in Poland. It has also used familiar icons, such as the Chrome and Bitcoin logos.(Citation: cyble_chameleon_0423) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1509", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) can communicate over port 7242 using HTTP.(Citation: cyble_chameleon_0423)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1636", "showSubtechniques": true}, {"techniqueID": "T1636.004", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) can gather SMS messages.(Citation: cyble_chameleon_0423)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1418", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) can read the name of application packages.(Citation: cyble_chameleon_0423)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1426", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) can gather basic device information such as version, model, root status, and country.(Citation: cyble_chameleon_0423)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1633", "showSubtechniques": true}, {"techniqueID": "T1633.001", "comment": "[Chameleon](https://attack.mitre.org/software/S1083) can perform system checks to verify if the device is rooted or has ADB enabled and can avoid execution if found.(Citation: cyble_chameleon_0423)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Chameleon", "color": "#66b1ff"}]}