Security researchers have discovered threat actors using the Chameleon Android banking trojan are targeting Canadians by hiding the trojan in a customer relationship management (CRM) app. Although specific victims haven’t been identified yet, using a CRM to spread the trojan suggests victims come from either the hospitality business or are business-to-consumer (B2C) employees.
The campaign was founded in July 2024 by Dutch cybersecurity firm ThreatFabric. Its technical report claims that the trojan was found impersonating a CRM app targeting a Canadian restaurant chain operating internationally. However, the camping was also spotted targeting other Canadian and European victims, indicating an expansion from the previously targeted regions of Australia, Italy, Poland, and the UK.
On installation, the app shows a fake login page for a CRM tool but displays an error when the user tries to log in with their credentials. The app is a dropper for the banking trojan and can bypass Android 13 and higher restrictions. The first error asks users to reinstall the app, after which they attempt to log in again, only to be told that their account isn’t activated and they need to contact their HR department.
Chameleon is equipped with on-device fraud capabilities, meaning it can transfer users’ funds to the attacker’s accounts. If a device with access to corporate banking accounts is infected, the victim organisation can be at significant risk. Additionally, employees whose roles involve CRM tasks are more likely to have such access, which can be another reason for the trojan to impersonate a CRM app.
The trojan also has other capabilities, including harvesting credentials stored on the device, contact lists, SMS messages, and geolocation data. Since the trojan is always running in the background, it can also collect other sensitive information by keylogging. This information can be further used to carry out more targeted attacks. If not, attackers can quickly buck by selling the harvested data on underground forums.
In the News: Singapore police recover $40 million from international email scam