Cybersecurity researchers have uncovered a new cunning technique cybercriminals use behind the Chameleon Android banking trojan. These threat actors target users in Canada by disguising their malware as a Customer Relationship Management (CRM) app. The Dutch security firm ThreatFabric revealed this in a technical report published on Monday.
Expanding Targets: From Canada to Europe
In July 2024, researchers identified a campaign targeting customers in both Canada and Europe. This marks a significant expansion from Chameleon’s previous targets in Australia, Italy, Poland, and the U.K. By using CRM-related themes, the attackers focus on customers in the hospitality sector and Business-to-Consumer (B2C) employees.
Clever Bypass of Android’s Security Measures
The dropper artifacts in this campaign are designed to bypass the Restricted Settings imposed by Google in Android 13 and later versions. These settings usually prevent sideloaded apps from requesting dangerous permissions, such as accessibility services. Chameleon cleverly sidesteps these restrictions, a technique seen before with malware like SecuriDroper and Brokewell.
Also read | Cybercriminals Deploy 100K+ Malware Android Apps to Steal OTP Codes
How the Chameleon Android Trojan Tricks Users
Once installed, the fake CRM app displays a bogus login page. After users attempt to log in, the app shows an error message, urging them to reinstall it. In reality, this action deploys the Chameleon payload. The app then reloads the phony CRM webpage, asking users to log in again, only to show another error message: “Your account is not activated yet. Contact the HR department.”
The Dangerous Capabilities of Chameleon
Chameleon has a frightening array of capabilities. It can conduct on-device fraud (ODF) and transfer funds from users’ accounts. Additionally, it uses overlays and extensive permissions to harvest credentials, contact lists, SMS messages, and geolocation information. If the malware infects a device with access to corporate banking, it poses a significant risk to the organization.
Why the CRM Disguise Works
ThreatFabric explains that the choice to disguise the malware as a CRM app targets employees whose roles involve CRM systems. These employees are more likely to have access to business banking accounts, making the threat even more severe.
A Broader Context of Cyber Threats
This discovery comes just weeks after IBM X-Force detailed a separate banking malware campaign in Latin America. The CyberCartel group used malicious Google Chrome extensions to steal credentials and financial data, delivering a trojan named Caiman. They aimed to install a harmful browser plugin and use the Man-in-the-Browser technique to collect sensitive banking information.