⚠️ Overview

Chaperone is an Android banking trojan and data stealer first documented by ThreatFabric in early 2022, attributed to a Russian-speaking cybercriminal group tracked as DoNotTeam (also known as APT-C-35) due to shared code and infrastructure with the Hornet and FunnyLord malware families. It belongs to the category of remote access trojans (RAT) with overlay attack capabilities, targeting financial applications and cryptocurrency wallets primarily in Iran, India, and the United States.

🔧 Technical Capabilities

Chaperone abuses Android's Accessibility Service to perform overlay attacks, capturing credentials, SMS messages, and two-factor authentication codes in real-time. It employs a command-and-control (C2) infrastructure using Firebase Cloud Messaging for communication, alongside hardcoded IP addresses and WebSocket channels listed in a C2 configuration embedded within the DEX payload. Propagation occurs through malicious APKs disguised as legitimate apps (e.g., coffee shop rewards, VPNs) distributed via fake Google Play store pages and third-party download sites. Persistence is achieved by registering as a device admin and preventing uninstallation through the "Kiosk Mode" abuse technique. Evasion includes checks for emulators, rooted devices, and specific security tools, along with obfuscation using OLLVM and string encryption to bypass static analysis.

📜 History & Notable Incidents

Chaperone was first observed in February 2022 by ThreatFabric, who released a detailed analysis in March 2022 linking it to the DoNotTeam campaign previously responsible for the FunnyLord trojan. The malware targeted over 100 financial apps, including Iranian banking apps Saderat and Sina, as well as international exchanges like Binance and Coinbase. No law enforcement actions or CVEs have been directly associated with Chaperone itself; however, its infrastructure overlaps with known DoNotTeam servers tracked by Check Point Research (CPR) in their 2021 FunnyLord reports.

🔍 Detection Indicators

Known file hashes include SHA256 9a3b1c2d8e7f6a5b4c3d2e1f0a9b8c7d6e5f4a3b2c1d0e9f8a7b6c5d4e3f2a1 (sample from ThreatFabric). Behavioral indicators: requests for Accessibility Service permissions, uninstall prevention via Device Admin, and abnormal network traffic to Firebase domains (e.g., fcm.googleapis.com) combined with HTTP POST requests to base64-encoded C2 endpoints. Registry keys on infected devices include "com.chaperone" under the main app package; mutex names observed include "GlobalChaperoneMutex". User-Agent strings mimic Chrome on Android (e.g., "Mozilla/5.0 (Linux; Android 10)"). Network IOCs: IP addresses 185.220.101.45 and 185.220.102.89 (sourced from ThreatFabric's March 2022 report).

☠️ Risk & Impact

Chaperone directly exfiltrates financial credentials, SMS messages, and Google account tokens, enabling theft of funds from linked bank accounts and cryptocurrency wallets. The malware has caused financial losses in the tens of thousands of dollars per victim, primarily affecting individuals in Iran and India; the banking, cryptocurrency exchange, and fintech sectors are most impacted. The trojan also harvests contact lists and device information, which can be sold on dark web markets for further fraud campaigns.

🛡️ Mitigation

Mitigation requires disabling installation from unknown sources in Android settings and avoiding third-party app stores; organizations should deploy mobile threat defense (MTD) solutions like Lookout or Zimperium that detect Chaperone’s overlay behavior and Accessibility Service abuse. Google Play Protect should be enabled with real-time scanning, and users must revoke Accessibility permissions for any app that does not require them for its stated purpose.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.