Chameleon Android Banking Trojan Aiming Users Through Deceitful CRM Application
Cybersecurity experts have revealed a new scheme utilized by malicious parties spearheading the Chameleon Android banking malware to target Canadian users by posing as a Customer Relationship Management (CRM) application.
Dutch cybersecurity firm ThreatFabric detailed that “Chameleon was spotted posing as a CRM application, aiming at a Canadian restaurant chain with global operations,” in a recent technical report.
The operation, identified in July 2024, focused on clients in Canada and Europe, hinting at an expansion of its target scope from countries like Australia, Italy, Poland, and the U.K.
The utilization of CRM-related concepts for the malicious dropper apps housing the malware suggests that the victims are likely customers in the hospitality sector and Business-to-Consumer (B2C) staff.
The dropper elements are crafted to circumvent Restricted Settings put in place by Google in Android 13 and later versions to bar sideloaded apps from seeking perilous permissions (e.g., accessibility services), a tactic previously utilized by SecuriDroper and Brokewell.
After installation, the application showcases a counterfeit login page for a CRM tool and then presents a false error message directing the victims to reinstall the app, while actually deploying the Chameleon payload.
This is succeeded by reloading the bogus CRM webpage, prompting them again to finalize the login procedure, only to display a different error message stating “Your account is not activated yet. Contact the HR department.”
Chameleon is capable of executing on-device fraud (ODF) and illicitly moving users’ funds, while also using overlays and its extensive permissions to collect credentials, contact lists, SMS messages, and geolocation data.
“If the hackers manage to infect a device with access to corporate banking, Chameleon can gain entry to business banking accounts, posing a substantial threat to the company,” warned ThreatFabric. “The increased possibility of such access for employees involved in CRM roles likely fueled the choice of this deception during the recent operation.”
The revelation comes following IBM X-Force’s disclosure of a Latin American banking malware operation conducted by the CyberCartel syndicate to pilfer credentials and financial data and disseminate a trojan named Caiman via malicious Google Chrome extensions.
“The end goal of these malicious operations is to install a harmful browser plugin on the victim’s browser and employ the Man-in-the-Browser method,” as stated by the company noted.
“This enables the attackers to unlawfully gather sensitive banking details, as well as other pertinent data such as compromised machine information and on-demand screenshots. Updates and setup configurations are distributed through a Telegram channel operated by the threat actors.”
About Author
