The Return of the Chameleon Banking Trojan Disguised as a CRM app

The goal of Chameleon’s most recent campaign is to obtain unauthorized access to corporate banking accounts by targeting staff members of a well-known Canadian restaurant chain with international operations. This poses a “significant risk” to these organizations, according to Threat Fabric. Because employees with CRM roles are likely to have access to sensitive financial data, making them prime targets for such attacks, the Trojan chose to pose as a CRM app. Targeting individual banking clients has given way to concentrating on corporate staff who have greater access to financial resources.

By posing as a security application, the malware also targets clients of particular financial institutions. In order to intercept private communications, it installs a phony security certificate that was allegedly issued by the victims’ banks. Because of its versatility, Chameleon can modify its features and orders to fit various settings. The Trojan, which was first discovered in late 2022 and early 2023, was initially unknown but has since developed into a more serious threat that can get past biometric security.

The ability of Chameleon to get around the new limitations of Android 13 is a significant development. This is accomplished through the use of the recently leaked BrokewellDropper delivery tool, which provides threat actors with strong device takeover capabilities. In order to install the Trojan and get around security measures, the dropper is essential. This keeps the Trojan hidden and active on compromised devices.

Chameleon has a history of using trusted app impersonations, which is consistent with its recent disguise as a CRM login page. In the past, it has imitated apps from organizations like the Australian Taxation Office and well-known Polish financial institutions. The dropper in the current campaign asks the user to reinstall the application, which is the Trojan itself, after displaying a phony CRM login page that asks for an employee ID. To allay suspicions, it displays an error message after installation and then requests credentials on a phony website once more.

Once installed, the Chameleon app works quietly in the background to gather personal information using keylogging and other techniques. This stolen data could be used in later attacks or sold on dark web forums for illegal practices. Cybercriminals are evolving and upgrading their strategies to target larger assets, like corporate and business accounts, rather than just individual mobile banking credentials, as evidenced by this growing sophistication.

Threat Fabric warns that the growth of business mobile banking products creates new opportunities for cybercriminals to exploit. Organizations must remain aware because attackers are always developing new ways to circumvent mobile defenses. Preventive measures include alerting business clients to the dangers of mobile banking malware and monitoring for unusual activity to stop threats before they do damage.

Financial institutions are urged to use their insight into client accounts to identify and stop malicious activity before it becomes serious. To counteract emerging threats like Chameleon and protect individual users and business banking clients from the rising risks of mobile malware, proactive security and awareness campaigns will be crucial.