Cybersecurity researchers have uncovered a new technique used by the Chameleon Android banking trojan, which targets users in Canada by posing as a Customer Relationship Management (CRM) app.
Researcher reported on Monday that Chameleon was seen disguising itself as a CRM app, specifically targeting a Canadian restaurant chain with international operations. This campaign, detected in July 2024, also targeted customers in Europe, marking an expansion from its previous focus on Australia, Italy, Poland, and the U.K.
The use of CRM-themed dropper apps suggests the targets are customers in the hospitality sector and Business-to-Consumer (B2C) employees. These dropper artifacts are designed to bypass the Restricted Settings in Android 13 and later versions, preventing sideloaded apps from requesting dangerous permissions, such as accessibility services. This technique has been previously used by SecuriDroper and Brokewell.
Once installed, the app displays a fake login page for a CRM tool, followed by a bogus error message urging victims to reinstall the app. In reality, this step deploys the Chameleon payload. The app then reloads the fake CRM web page, asking users to complete the login process, only to display another error message stating, “Your account is not activated yet. Contact the HR department.”
Chameleon is capable of conducting on-device fraud (ODF) and transferring users’ funds fraudulently. It leverages overlays and extensive permissions to harvest credentials, contact lists, SMS messages, and geolocation information.
If attackers infect a device with access to corporate banking, Chameleon poses a significant risk to the organization by gaining access to business banking accounts. The likelihood of such access is higher for employees whose roles involve CRM, which is likely why this method was chosen for the latest campaign.
To avoid falling prey to the Chameleon trojan, users should be cautious when installing CRM and other business-related apps, ensuring they come from verified sources. Organizations should educate employees about the risks of sideloading apps and enforce strict app installation policies.