Mobile Threat Intelligence analysts uncovered new Chameleon Trojan campaigns in July 2024 targeting Europe and Canada, including a novel CRM app masquerade aimed at a Canadian restaurant chain.
The campaigns employ a multi-staged distribution model, utilizing a dropper capable of bypassing Android 13+ restrictions. The evolving tactics of Chameleon underscore the persistent threat it poses, demanding heightened vigilance from security professionals.
As part of a new cyberattack campaign, hospitality employees are the target of a disguised customer relationship management (CRM) app.
The use of a specific restaurant chain brand in file names uploaded to VirusTotal indicates that it is most likely run by the Chameleon threat actor and indicates targeted intent through a targeted attack on hospitality industry employees with the potential to steal sensitive data or infiltrate systems.
A targeted Chameleon banking Trojan campaign leverages a dropper capable of circumventing Android 13+ restrictions, suggesting widespread availability of this bypass technique.
The dropper disguises itself as a CRM login page to deceive hospitality and potential B2C business employees. Once installed under the guise of a necessary app reinstallation, the Chameleon payload gains accessibility service permissions, enabling it to bypass further security measures.
The campaign specifically targets employees with CRM access, likely due to increased exposure to business banking accounts, posing a significant financial risk to organizations.
After the software installation, a malicious actor deployed a fake website that fraudulently requested employee credentials.
Chameleon keylogger, already active on the system, concurrently captures these credentials and additional sensitive data, which poses a significant risk, enabling further attacks or illicit sales on underground marketplaces.
The compromised system requires immediate remediation to prevent data exfiltration and potential future breaches, while the fake website is designed to mimic a legitimate login page, tricking unsuspecting users into entering their credentials.
Once submitted, the keylogger intercepts the credentials and sends them to the attacker, enabling the attacker to access the employee’s accounts without authorization and potentially compromise the entire network.
Mobile Threat Intelligence has identified an increase in the amount of Chameleon malware activity that appears to be targeting customers of particular financial institutions.
The malware disguises itself as a legitimate security app and installs a fraudulent security certificate issued by the targeted bank, potentially enabling unauthorized access and data theft.
According to Threat Fabric, cybercriminals are increasingly targeting employees of B2C businesses to gain unauthorized access to business banking accounts via mobile devices.
The proliferation of mobile banking products for SMEs, coupled with their convenience, presents a lucrative opportunity for attackers. Malware like Chameleon poses a significant threat, enabling unauthorized access and financial loss.
Financial institutions must implement robust security measures, including malware detection, anomaly detection, and extensive customer education, to safeguard business accounts and mitigate the risks associated with mobile banking.