In a recent revelation, cybersecurity experts have uncovered a sophisticated tactic employed by the Chameleon Android banking trojan, which is now targeting users in Canada. This malware cleverly disguises itself as a Customer Relationship Management (CRM) application, posing a significant threat to unsuspecting individuals and businesses alike.
According to a technical report released by the Dutch security firm ThreatFabric, the Chameleon trojan was observed in a campaign that commenced in July 2024. The focus of this operation appears to be on customers within the hospitality sector, specifically a Canadian restaurant chain with international operations. Notably, this marks an expansion of the trojan's reach beyond its previous targets in Australia, Italy, Poland, and the U.K.
A Strategic Target: B2C Employees
The malicious applications, designed to resemble CRM tools, are particularly aimed at Business-to-Consumer (B2C) employees, indicating a strategic choice by the attackers to exploit vulnerabilities within this sector. The dropper artifacts utilized in this campaign have been engineered to circumvent the Restricted Settings introduced by Google in Android 13 and later versions, which are intended to prevent sideloaded apps from requesting dangerous permissions, such as accessibility services. This technique echoes methods previously seen in other malware like SecuriDroper and Brokewell.
Upon installation, the trojan presents a counterfeit login interface for a CRM application. Victims are then confronted with a deceptive error message that prompts them to reinstall the app. In reality, this action triggers the deployment of the Chameleon payload. Following this, the fake CRM webpage reappears, urging users to log in once more, only to be met with yet another fabricated error message stating, "Your account is not activated yet. Contact the HR department."
On-Device Fraud and Data Harvesting
Chameleon is not merely a nuisance; it is equipped to execute on-device fraud (ODF) and can illicitly transfer funds from users' accounts. The malware leverages overlays and extensive permissions to harvest sensitive information, including credentials, contact lists, SMS messages, and geolocation data. ThreatFabric warns that if attackers manage to compromise a device with access to corporate banking, the implications could be dire, granting them entry to business banking accounts and posing a substantial risk to the organization. The choice to masquerade as a CRM tool likely stems from the increased access afforded to employees whose roles involve such systems.
Broader Context: CyberCartel's Campaign
This development follows closely on the heels of a report from IBM X-Force, which detailed a separate banking malware campaign orchestrated by the CyberCartel group in Latin America. This campaign aimed to pilfer credentials and financial data while deploying a trojan named Caiman through malicious Google Chrome extensions. The overarching goal of these nefarious activities is to install harmful browser plugins on victims' browsers, utilizing the Man-in-the-Browser technique to illegally gather sensitive banking information, along with other pertinent data such as compromised machine information and on-demand screenshots. Updates and configurations for these attacks are disseminated via a Telegram channel operated by the threat actors.
For those interested in staying informed about the latest developments in cybersecurity, follow us on Twitter and LinkedIn for more exclusive content.