Cyber security researchers have discovered a new technique adopted by threat actors Chameleon An Android banking trojan targeting users in Canada under the guise of a customer relationship management (CRM) program.
“Chameleon has been spotted posing as a CRM application targeting an internationally operating Canadian restaurant chain,” – Dutch security service ThreatFabric. said in a technical report published on Monday.
The campaign, spotted in July 2024, targeted customers in Canada and Europe, indicating an expansion of its victim footprint from Australia, Italy, Poland and the UK
The use of CRM-related themes for malware-laden droppers indicates that the targets are customers in the hospitality sector and B2C (Business-to-Consumer) employees.
The eyedropper artifacts are also designed to bypass the restrictive settings Google introduced in Android 13 and later to prevent dangerous permission requests from side-loaded apps (such as accessibility services), a method previously used SecuriDroper and Brookwell.
Once installed, the program displays a fake CRM login page and then displays a fake error message urging victims to reinstall the program, while it actually deploys the Chameleon payload.
After this step, the fake CRM web page loads again, this time asking you to complete the login process, only to display another error message: “Your account has not been activated yet. Contact HR.”
Chameleon is equipped for on-device fraud (ODF) and fraudulent transfer of user funds, and uses overlays and a wide range of permissions to collect credentials, contact lists, SMS messages and geolocation information.
“If attackers manage to infect a device with corporate banking access, Chameleon gains access to corporate bank accounts and poses a significant threat to the organization,” ThreatFabric said. “The increased likelihood of such access for employees whose roles include CRM is a likely reason for the choice of masquerade during this latest campaign.”
The development comes weeks after IBM X-Force detailed a Latin American banking malware campaign launched by the CyberCartel group to steal account and financial data and deliver a Trojan called Caiman via malicious Google Chrome extensions.
“The ultimate goal of these malicious activities is to install a malicious browser plug-in in the victim’s browser and use A person in a browser technique”, company said.
“This allows attackers to illegally harvest sensitive banking information along with other relevant data such as compromised machine information and on-demand screenshots. Updates and configurations are distributed through the Telegram channel by threat actors.”
