Chameleon Android Trojan Targets Users Through Fake CRM App
In a concerning wave of cybersecurity threats, researchers have identified a new technique employed by the Chameleon Android banking trojan to target users. This time, the threat actors are masquerading their malicious software as a Customer Relationship Management (CRM) app.
Dutch security company ThreatFabric recently published a report detailing how Chameleon has been used to target a Canadian restaurant chain operating internationally. This campaign, spotted in July 2024, has impacted users not just in Canada but also in Europe, expanding its reach from earlier targets in Australia, Italy, Poland, and the U.K.
How Does the Chameleon Trojan Work?
The Chameleon trojan disguises itself as a legitimate CRM app, which is software businesses use to manage interactions with customers. Once installed, the app displays a fake login page. After the user enters their credentials, the app shows a bogus error message urging the user to reinstall it. This step is a trick to deploy the Chameleon payload, which is the malicious part of the software.
After the trojan is successfully installed, it shows another fake CRM login page. When the user tries to log in again, it displays a message saying, "Your account is not activated yet. Contact the HR department." This continuous loop is designed to confuse the user while the malware starts its job in the background.
Bypassing Security Measures
Chameleon is designed to bypass security restrictions in Android 13 and later versions. These restrictions prevent sideloaded apps (apps installed from sources other than the official app store) from requesting dangerous permissions like accessibility services. Similar tactics have been used by other malware such as SecuriDroper and Brokewell.
What Does Chameleon Do?
Once installed, Chameleon has several harmful capabilities:
- On-Device Fraud (ODF): This means it can conduct fraudulent activities directly on the infected device.
- Credential Harvesting: It can steal login details, contact lists, SMS messages, and geolocation information.
- Funds Transfer: It can transfer money out of the victim's accounts fraudulently.
According to ThreatFabric, if the trojan infects a device with access to corporate banking, it poses a significant risk to business banking accounts. This is particularly dangerous for employees dealing with CRM tools, as they are likely to have access to sensitive financial information.
Related Threats
The discovery of Chameleon comes shortly after another alarming finding by IBM X-Force. They detailed a campaign by the CyberCartel group in Latin America, which used malicious Google Chrome extensions to deliver a trojan named Caiman. This malware aims to install a harmful browser plugin and use the Man-in-the-Browser technique to collect sensitive banking information and take on-demand screenshots.
How to Protect Yourself
To safeguard against these kinds of threats:
- Only download apps from official app stores. Avoid third-party sites, as they are more likely to host malicious software.
- Keep your device updated. Software updates often include security patches that can protect against the latest threats.
- Use reliable antivirus software. These tools can detect and remove malware before it causes harm.
- Be cautious of unusual app behavior. If an app requests you to reinstall it or asks for excessive permissions, it might be a red flag.
By staying vigilant and employing robust security measures, users can protect themselves from the ever-evolving landscape of cyber threats.
