Chameleon Banking Trojan Makes a Comeback Cloaked as CRM App

The Chameleon Android banking Trojan is back on the threat scene, armed with new Android security-bypass features. The malware poses as a customer relationship management (CRM) application and targets employees in the hospitality sector and other business employees on two continents.

Researchers from Threat Fabric revealed that the device-takeover Trojan is targeting "hospitality workers and potentially B2C business employees in general" across Canada and Europe. Researchers say the new variant uses a dropper that can bypass Android 13+ AccessibilityService restrictions.

The Trojan is targeting a popular restaurant chain in Canada, which operates globally, to get access to corporate banking accounts, which would pose a "significant risk" to the organizations breached, according to Threat Fabric.

"The increased likelihood of such access for employees whose roles involve CRM is the likely reason behind the choice of the masquerading during this latest campaign," according to a blog post from Threat Fabric.

Researchers also see evidence of attacks that target "customers of specific financial organizations" in which Chameleon masquerades as a security application to install a security certificate released by the victims' banks as part of the malware's resurgence.

Shape-Shifting Malware

Security researchers first detected Chameleon — which got its name for its ability to adapt to its environment through multiple new commands — around December 2022/January 2023, when it appeared in its earliest form as a work in progress. Except for an appearance late last year with a significantly more fully featured variant that could bypass biometric security, the malware has been flying under the radar.

Now it has evolved yet again, with new features that show how its operators are changing the malware to keep up with the Android OS as it also becomes fortified with advanced security features.

According to the Threat Fabric post, "Most significant is the Trojan's ability to bypass Android 13+ restrictions, which once again proves the prediction we made in the past — this capability has become essential for modern banking Trojans."

Chameleon's use of the BrokewellDropper for delivery is significant to this bypass; indeed, since the leak of the source code for the dropper — which has an extensive set of device-takeover capabilities — more threat actors now have access to security bypass on the Android OS, according to Threat Fabric.

Trojan's Latest Disguise

Chameleon's most recent disguise should be no surprise to security researchers tracking the Trojan, as the malware, like other Trojans, has historically impersonated trusted apps. Previously, Chameleon came cloaked as an app from institutions such as the Australian Taxation Office (ATO) or one of several popular banking apps in Poland to steal data from user devices.

Once loaded, the dropper displays a fake page masquerading as a CRM login page, requesting the employee ID. It then displays a message asking to reinstall the application, which is actually Chameleon, which installs and bypasses Android AccessibilityService restrictions. After installation, the Trojan loads a fake website again asking for the employee's credentials. If submitted, the app displays an error page, according to Threat Fabric.

Chameleon remains running in the background on a device, which means it can also collect other credentials and sensitive info from a user by using keylogging. "Such information can be used in further attacks or the actors can monetise it by selling  it on underground forums," according to the post.

More Sophisticated Attacks

The latest Chameleon campaign demonstrates how Trojan-wielding cybercriminals are finding new and innovative ways to target bigger assets beyond the banking credentials of individual mobile users, according to Threat Fabric. This should put all organizations on high alert to the evolving mobile threat landscape.

"With the rising number of banking products for businesses (especially small and medium) and the convenience of having them available through mobile, we can expect cybercriminals to further explore the approach of targeting such mobile devices and its users," according to the post.

To combat these threats, financial organizations can take preventive measures to educate business customers about the potential impact of mobile banking malware like Chameleon and the consequences these malicious apps can bring, according to Threat Fabric. Moreover, given their visibility into customers' financial accounts, banks should also become more proactive in spotting anomalies in activity and behavior to stop threats before they compromise accounts.