August 7, 2024 at 03:30AM
Cybersecurity researchers uncovered a new tactic used by threat actors behind the Chameleon Android banking trojan. Masquerading as a Customer Relationship Management (CRM) app, the campaign targeted a Canadian restaurant chain and expanded to Europe. The malicious app deceives users with fake login pages to deploy the Chameleon payload, enabling on-device fraud and credential harvesting.
From the meeting notes, we gathered information about a new technique employed by threat actors using the Chameleon Android banking trojan to target users in Canada by posing as a Customer Relationship Management (CRM) app. The campaign, observed in July 2024, expanded its victimology footprint from Australia, Italy, Poland, and the U.K. to target customers in Canada and Europe, particularly those in the hospitality sector and Business-to-Consumer (B2C) employees. The trojan is designed to bypass Restricted Settings on Android 13 and later in order to deploy the Chameleon payload. Once installed, it conducts on-device fraud (ODF) and fraudulently transfers users’ funds, while also harvesting credentials, contact lists, SMS messages, and geolocation information.
Additionally, the meeting notes mention a Latin American banking malware campaign conducted by the CyberCartel group to steal credentials and financial data and deliver a trojan named Caiman through malicious Google Chrome extensions. The objective of these activities is to install a harmful browser plugin on the victim’s browser using the Man-in-the-Browser technique to collect sensitive banking information and other relevant data.
Lastly, the notes provided information about how updates and configurations for the malicious activities are disseminated via a Telegram channel by the threat actors.
Overall, the meeting notes highlighted the evolving tactics used by threat actors to target businesses and individuals through the deployment of banking trojans and malicious browser plugins, posing a significant risk to organizations and individuals.