2024-08-05 Android CHAMELEON Samples
2024-08-05 Chameleon is now targeting employees: Masquerading as a CRM app
2023-12-23 Android Banking Trojan Chameleon can now bypass any Biometric Authentication
Canada (July 2024): Chameleon disguised itself as a Customer Relationship Management (CRM) app, specifically targeting employees of a Canadian restaurant chain that operates internationally. The aim was to infiltrate business banking accounts by exploiting the employees' roles, which likely involve handling sensitive financial information through CRM systems.
- UK and Italy (January 2023): The Trojan impersonated legitimate applications such as Google Chrome and government-related apps to deceive users and infiltrate their devices. This tactic significantly increases the likelihood of successful infections by leveraging the trust users place in these widely recognized apps.
Payload Delivery and Exploitation:
- Multi-Stage Process: In the July 2024 campaign, Chameleon used a dropper capable of bypassing Android 13+ security restrictions. The dropper tricked users into reinstalling a fake CRM app, which secretly deployed the Chameleon payload, allowing it to operate unnoticed.
- Zombinder Framework: In the January 2023 campaign, Chameleon was distributed via the Zombinder framework, which deployed both Chameleon and Hook malware families through a sophisticated two-stage payload process. This method utilized Android’s PackageInstaller to facilitate the installation of malicious components.
Advanced Features and Exploitation Techniques:
- Accessibility Service Exploitation: Chameleon leverages the Accessibility Service on Android devices to carry out Device Takeover (DTO) attacks. This service is crucial for the Trojan's ability to log keystrokes, harvest credentials, and execute commands that allow it to control the device remotely.
- Bypassing Android 13 Restrictions: The Trojan adapts to the latest Android 13 restrictions by displaying HTML pages that guide users to enable the Accessibility Service, thereby circumventing security features designed to block such malware.
- Biometric Disruption: A new feature in the updated variant allows Chameleon to bypass biometric authentication, forcing a fallback to PIN-based authentication. This enables the malware to capture PINs and passwords, which it can use to unlock the device and further exploit the victim's data
├── 2023-12-23
│ ├── 0a6ffd4163cd96d7d262be5ae7fa5cfc3affbea822d122c0803379d78431e5f6 com busy lady apk
│ ├── 2211c48a4ace970e0a9b3da75ac246bd9abaaaf4f0806ec32401589856ea2434 apk
│ └── Android Banking Trojan Chameleon can now bypass any Biometric Authentication pdf
├── 2024-08-05
│ ├── 651add695718f305f749b1d2a06c44951631904ea166d202c95515549b9c25c9 Tim Hortons CRM apk
│ └── b8ea74902684dcced62a5ca2c1d6932659decfefcbdb2615bfe5899e05eb1451 Employee CRM apk
└── Other
├── 0bc73b4662711d973d1dcaaec13fd1a7fccb82a8c7ba2cc8df46764e3fcb2af1
├── 18b4b9efb02ad5aad518c3e7490daa7ac78e91a269dd1c4d7c7ebb13074ffd41
├── 1ae0e0c98607c3ed2e7f3967c322562befb76d73ee364b18a6dcdaac82db76c2
├── 5d115c540cf4daf8c177aa70e41bb7596ba25530730d0d0141cbccf624420b74
├── d3054e85b31a771d98e7ddc28468803ac14168736d75a0e5484a89191367ed0b
├── d3b6e123a6861ebb786ddb63d9ad935b581b9fba761b1651c66785ea3a12e4b7
├── e6b761009ed989ebf852ce3f687e705521e600d38c31f55c2745af19a08cfe35
├── f0116120865b3117a2398e6e7218d3a5a46b2e16e18b6d4533d9026bfa2f4a7b
└── f1e43bb4a351f49a6a86e7e642662f2c6fedb29aecab7a498b02e701156a87ce