Chameleon Trojan – Malware

Overview

The Chameleon Trojan has resurfaced with a new wave of sophisticated campaigns, bringing heightened risks to businesses in Canada and Europe. First identified in December 2022, Chameleon is a powerful device-takeover malware that is now deploying a clever new strategy: disguising itself as a Customer Relationship Management (CRM) app to infiltrate employee devices. Targeting hospitality industry workers, particularly those in customer-facing roles, Chameleon seeks to exploit the trust these employees place in essential business apps to access sensitive corporate data, including business banking credentials. This shift signals a concerning trend in cyberattacks, where attackers bypass traditional corporate defenses by focusing on individual mobile devices used by employees.

In recent campaigns, Chameleon has adopted a multi-staged infection process that takes advantage of Android’s security vulnerabilities. Analysts from Mobile Threat Intelligence have observed that Chameleon uses a specialized dropper that bypasses Android 13+ restrictions, an increasingly critical capability for banking Trojans. The malware masquerades as a CRM tool, urging employees to input credentials under the guise of legitimate business interactions. Once the Trojan secures initial access, it deploys keylogging functionalities and uses fake login pages to collect further credentials. The data gathered is either exploited for immediate financial gain or sold to other threat actors, making Chameleon a significant threat to organizations that rely on mobile devices for accessing corporate accounts.

Targets

Individuals

How they operate

Chameleon’s infection chain begins with a multi-staged dropper, which is designed to bypass Android 13+ security restrictions—a feature becoming increasingly critical for modern Android malware. This dropper employs evasion techniques similar to those found in BrokewellDropper, a well-known Android dropper that circumvents restrictions by exploiting Accessibility Service vulnerabilities. Once installed, Chameleon launches a simulated CRM app interface, designed to trick users into entering their Employee ID and other credentials. The initial masquerading phase not only establishes trust with the user but also begins the process of gathering sensitive information that will later be exploited by the malware.

After successfully bypassing security restrictions, Chameleon gains privileged access to the infected device, enabling it to run in the background undetected. The Trojan utilizes keylogging and input-capture techniques to collect login credentials, Employee IDs, and other sensitive information. By mimicking legitimate login pages and prompting for additional user actions, Chameleon captures data from unwitting users who believe they are interacting with a legitimate app. The malware then transmits the harvested data over encrypted channels to a remote command-and-control (C2) server. This data can be monetized directly by the attackers or sold on the dark web to other threat actors, significantly increasing the financial impact of each successful infection.

Chameleon’s technical sophistication extends to its defense evasion techniques, which are designed to keep the Trojan hidden from antivirus and mobile threat detection software. The malware employs a fake website that loads during the installation process, creating the illusion of normal app behavior while hiding its malicious processes in the background. Additionally, Chameleon continuously monitors the device for potential user actions or system changes that could interfere with its operation, allowing it to reinitiate processes as needed. This persistence mechanism ensures that the Trojan can maintain access to the device even after restarts, which is particularly concerning for companies whose employees use mobile devices for sensitive tasks, such as accessing corporate banking accounts.

The latest iteration of Chameleon demonstrates a trend toward increasingly sophisticated mobile malware that not only targets individuals but also seeks to compromise business environments. By disguising itself as a CRM tool and deploying advanced evasion strategies, Chameleon highlights the growing threat of mobile device takeovers in corporate settings. Financial institutions and businesses that rely on mobile banking or CRM platforms for daily operations should take note of this evolution in malware tactics. Educating employees about the risks, implementing strong mobile security protocols, and using real-time threat monitoring are essential steps in safeguarding business assets against sophisticated threats like Chameleon.

MITRE Tactics and Techniques

Initial Access (T1078 – Valid Accounts, T1204 – User Execution):

Chameleon uses social engineering and phishing tactics to gain initial access to the target device, often masquerading as a legitimate CRM app. The Trojan convinces users to download and run a dropper, which bypasses security features on Android devices.

Execution (T1409 – Execution through API, T1609 – Command and Scripting Interpreter):

Chameleon uses a dropper to execute its payload on the infected device. By posing as a CRM app, it initiates malicious scripts and API calls to maintain persistence and begin data exfiltration.

Persistence (T1547 – Boot or Logon Autostart Execution):

The Trojan establishes persistence by using Android’s Accessibility Services, which allows it to stay active and reinitiate itself after restarts, enabling continuous monitoring of the device.

Privilege Escalation (T1406 – Exploitation for Privilege Escalation):

Chameleon’s dropper is designed to bypass Android 13+ restrictions by exploiting device vulnerabilities, which grants it elevated permissions needed to access sensitive information and bypass restrictions.

Defense Evasion (T1616 – Rootkit, T1408 – Bypass User Account Control):

Chameleon employs evasion techniques such as masquerading as a legitimate app to avoid detection by users and security software. Additionally, it bypasses Android restrictions using techniques seen in BrokewellDropper, allowing it to stay hidden on the device.

Credential Access (T1414 – Input Capture, T1512 – Input Prompt):

Keylogging and fake login prompts are central to Chameleon’s strategy. It uses a simulated CRM login interface to capture Employee IDs and other credentials. It also uses input capture techniques to intercept keystrokes and gain access to passwords, which can then be used for financial exploitation.

Collection (T1503 – Data from Local System):

Chameleon collects sensitive information, including login credentials, Employee IDs, and banking information stored on the device. This data is then used directly or exfiltrated for financial gain.

Exfiltration (T1041 – Exfiltration Over C2 Channel):

Chameleon sends captured credentials and other sensitive data to a remote command-and-control (C2) server. This exfiltration allows attackers to either use the data directly or sell it to other threat actors.

Impact (T1489 – Service Stop, T1499 – Endpoint Denial of Service):

Although not always part of its core capabilities, Chameleon’s access to high-privilege areas could enable it to interfere with device services, leading to potential data loss, service disruption, or exploitation for further attacks.

Reference: 

• Latest Alerts and Advisories