The Android banking Trojan known as The Chameleon has resurfaced with new security-bypass capabilities, targeting employees in the hospitality sector and other businesses across Canada and Europe. This malicious software disguises itself as a customer relationship management (CRM) application, putting organizations at risk of having their banking accounts compromised.
Researchers from Threat Fabric recently discovered the latest variant of this Trojan, which uses a dropper to bypass Android 13+ AccessibilityService restrictions. The primary target of this new campaign appears to be a popular restaurant chain in Canada with global operations. By posing as a CRM app, Chameleon tricks employees into providing their credentials, allowing the malware to gain access to sensitive information.
According to Threat Fabric, the decision to impersonate a CRM application may be linked to the increased access employees with CRM roles have to organizational data. In addition to targeting business employees, the Trojan has also been observed masquerading as a security application specifically tailored to customers of certain financial institutions.
The Chameleon malware first emerged in late 2022/early 2023, initially appearing as a rudimentary threat. However, it quickly evolved into a more sophisticated form that could bypass biometric security measures. Despite flying under the radar for some time, The Chameleon has now returned with enhancements designed to outsmart the latest Android security features.
One notable aspect of the updated Trojan is its ability to bypass Android 13+ restrictions, a crucial capability for modern banking Trojans. By utilizing the BrokewellDropper for delivery, Chameleon leverages an extensive set of device-takeover capabilities, making it a formidable threat to organizations and individuals alike.
The latest disguise adopted by Chameleon is not surprising, as the malware has historically posed as trusted apps like those from financial institutions. Once installed, the dropper prompts users to input their employee ID under the guise of a CRM login page, subsequently tricking them into reinstalling the malicious application. This allows Chameleon to bypass AccessibilityService restrictions and gather sensitive information via keylogging.
The resurgence of The Chameleon highlights the evolving tactics employed by cybercriminals targeting mobile devices. Organizations must remain vigilant and educate their employees about the risks posed by banking malware. Additionally, financial institutions should proactively monitor for any suspicious activity to safeguard their customers’ accounts from potential threats.
In conclusion, The Chameleon’s return serves as a stark reminder of the ever-present dangers of mobile banking malware. By staying informed and implementing robust security measures, businesses can protect themselves and their customers from falling victim to these insidious threats.