Cybersecurity researchers have lifted the lid on a new technique adopted by threat actors behind the Chameleon Android banking trojan targeting users in Canada by masquerading as a Customer Relationship Management (CRM) app.
"Chameleon was seen masquerading as a CRM app, targeting a Canadian restaurant chain operating internationally," Dutch security outfit ThreatFabric said in a technical report published Monday.
The campaign, spotted in July 2024, targeted customers in Canada and Europe, indicating an expansion of its victimology footprint from Australia, Italy, Poland, and the U.K.
The use of CRM-related themes for the malicious dropper apps containing the malware points to the targets being customers in the hospitality sector and Business-to-Consumer (B2C) employees.
The dropper artifacts are also designed to bypass Restricted Settings imposed by Google in Android 13 and later in order to prevent sideloaded apps from requesting for dangerous permissions (e.g., accessibility services), a technique previously employed by SecuriDroper and Brokewell.
Once installed, the app displays a fake login page for a CRM tool and then displays a bogus error message urging the victims to reinstall the app, when, in reality, it deploys the Chameleon payload.
This step is followed by loading the phony CRM web page again, this time asking them to complete the login process, only to display a different error message stating "Your account is not activated yet. Contact the HR department."
Chameleon is equipped to conduct on-device fraud (ODF) and fraudulently transfer users' funds, while also leveraging overlays and its wide-ranging permissions to harvest credentials, contact lists, SMS messages, and geolocation information.
"If the attackers succeed in infecting a device with access to corporate banking, Chameleon gets access to business banking accounts and poses a significant risk to the organization," ThreatFabric said. "The increased likelihood of such access for employees whose roles involve CRM is the likely reason behind the choice of the masquerading during this latest campaign."
The development comes weeks after IBM X-Force detailed a Latin American banking malware campaign undertaken by the CyberCartel group to steal credentials and financial data as well as deliver a trojan named Caiman by means of malicious Google Chrome extensions.
"The ultimate objective of these malicious activities is to install a harmful browser plugin on the victim's browser and use the Man-in-the-Browser technique," the company said.
"This allows the attackers to illegally collect sensitive banking information, along with other relevant data such as compromised machine information and on-demand screenshots. Updates and configurations are disseminated via a Telegram channel by the threat actors."