Cybersecurity researchers have discovered a new strategy used by threat actors spreading the Chameleon Android banking trojan targeting users in Canada by posing as a Customer Relationship Management (CRM) app.
“Chameleon was found pretending to be a CRM app, focusing on a Canadian restaurant chain with a global presence,” Dutch cybersecurity firm ThreatFabric reported in a technical analysis released on Monday.
This campaign, identified in July 2024, aimed at customers in Canada and Europe, indicating an expansion of the target region beyond Australia, Italy, Poland, and the U.K.
The use of CRM-related themes in the malicious dropper apps carrying the malware suggests that the targets are customers in the hospitality industry and Business-to-Consumer (B2C) employees.
The dropper artifacts are crafted to circumvent Restricted Settings implemented by Google in Android 13 and later to prevent sideloaded apps from requesting dangerous permissions (e.g., accessibility services), a tactic previously used by SecuriDroper and Brokewell.
Upon installation, the app shows a fake CRM login page and then prompts the victims with a fake error message to reinstall the app, but in reality, it deploys the Chameleon malware payload.
Afterwards, the phony CRM web page loads again, asking them to complete the login process, followed by a different error message stating “Your account is not activated yet. Contact the HR department.”
Chameleon is capable of on-device fraud (ODF) and unauthorized fund transfers, utilizing overlays and extensive permissions to steal credentials, contact lists, SMS messages, and geolocation data.
“If attackers manage to infect a device with access to corporate banking, Chameleon can compromise business banking accounts and pose a significant threat to the organization,” warned ThreatFabric. “The increased likelihood of such access for employees involved with CRM is likely the reason for the choice of this masquerade in the latest campaign.”
This development comes shortly after IBM X-Force detailed a Latin American banking malware campaign by the CyberCartel group to steal credentials and financial data, distributing a trojan called Caiman through malicious Google Chrome extensions.
“The main goal of these malicious activities is to install a harmful browser plugin on the victim’s browser and exploit the Man-in-the-Browser technique,” stated the company IBM X-Force.
“This enables the attackers to illicitly gather sensitive banking information, along with other critical data such as compromised machine details and on-demand screenshots. Updates and configurations are shared via a Telegram channel by the threat actors,” they added.
