{ "id": "6f33fee8-1ef6-4288-b6a7-0998367737be", "created_at": "2026-04-06T00:16:35.123364Z", "updated_at": "2026-04-10T03:24:29.205661Z", "deleted_at": null, "sha1_hash": "d62a50d4ee676cb51d65d10dbe2a66bf64ef3840", "title": "Chameleon is now targeting employees: Masquerading as a CRM app", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 863381, "plain_text": "Chameleon is now targeting employees: Masquerading as a CRM\r\napp\r\nPublished: 2024-10-01 · Archived: 2026-04-05 18:26:55 UTC\r\nChameleon is back in Canada and Europe\r\nIn July 2024 Mobile Threat Intelligence analysts observed new campaigns from Chameleon, a Device-Takeover\r\nTrojan discovered back in December 2022. These campaigns introduced an unusual masquerading technique used\r\nin the campaign targeting Canada: masquerading as a Customer Relationship Management (CRM) app. Key\r\nouttakes from the discovered campaigns are:\r\nChameleon was seen masquerading as a CRM app, targeting a Canadian restaurant chain operating\r\ninternationally\r\nTargeted regions include Europe and Canada, with potential further expansion of this list.\r\nAll the samples were seen distributed with a multi-staged approach, involving a dropper bypassing Android\r\n13+ restrictions.\r\nNew lure: targeted attack on hospitality employees\r\nIn the latest campaign discovered by ThreatFabric, Chameleon used a rather unusual masquerading technique,\r\nposing as a CRM app. At the same time, the names of the files uploaded to VirusTotal showed the targeted\r\napproach of the campaign as one of the names used the brand of a Canadian restaurant chain which operates\r\ninternationally:\r\nhttps://www.threatfabric.com/blogs/chameleon-is-now-targeting-employees-masquerading-as-crm-app\r\nPage 1 of 3\n\nThe naming used for the dropper and the payloads clearly shows that the intended victims of the campaign are\r\nhospitality workers and potentially B2C business employees in general. If the attackers succeed in infecting a\r\ndevice with access to corporate banking, Chameleon gets access to business banking accounts and poses a\r\nsignificant risk to the organisation. The increased likelihood of such access for employees whose roles involve\r\nCRM is the likely reason behind the choice of the masquerading during this latest campaign.\r\nThe first stage of the installation process involves a dropper capable of bypassing Android 13+ restrictions, which\r\nonce again proves the prediction we made in the past – this capability has become essential for modern banking\r\nTrojans, and more actors have received access to the bypassing approach with the publication of the source codes\r\nof BrokewellDropper, which we reported on previously.\r\nOnce loaded, the dropper displays a fake page masquerading as a CRM login page, requesting the Employee ID.\r\nThen a message asking to reinstall the application pops up, when in actual fact it installs a Chameleon payload,\r\nbypassing Android 13+ AccessibilityService restrictions.\r\nAfter installation, a fake website is loaded, again asking for the credentials of the employee. At the time of writing\r\nthis report, after submitting the credentials, an error message was displayed.\r\nBecause Chameleon is already running in the background, it is also able to collect credentials and other sensitive\r\ninformation using keylogging. Such information can be used in further attacks or the actors can monetise it by\r\nselling  it on underground forums.\r\nhttps://www.threatfabric.com/blogs/chameleon-is-now-targeting-employees-masquerading-as-crm-app\r\nPage 2 of 3\n\nAs a part of the rising activity of Chameleon, Mobile Threat Intelligence service has also observed attacks on\r\ncustomers of specific financial organisations, in this case the malware was masquerading as a security app\r\ninstalling a security certificate released by the bank.\r\nConclusions\r\nCybercriminals tend to find original ways to target bigger assets, now targeting employees of B2C businesses and\r\naiming to get access to business banking accounts. With the rising number of banking products for businesses\r\n(especially small and medium) and the convenience of having them available through mobile, we can expect\r\ncybercriminals to further explore the approach of targeting such mobile devices and its users. The financial\r\norganisations can take preventive steps and educate business customers about potential impact of the mobile\r\nbanking malware like Chameleon and the consequences it brings landing on a mobile device with the access to\r\nbusiness banking accounts. Moreover, with the ability to detect the presence of malware on the customer’s device\r\n(especially those used to access business accounts) and spot the anomalies in activity and behaviour, banks get\r\nadditional visibility to keep the customers’ assets safe.\r\nSource: https://www.threatfabric.com/blogs/chameleon-is-now-targeting-employees-masquerading-as-crm-app\r\nhttps://www.threatfabric.com/blogs/chameleon-is-now-targeting-employees-masquerading-as-crm-app\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.threatfabric.com/blogs/chameleon-is-now-targeting-employees-masquerading-as-crm-app" ], "report_names": [ "chameleon-is-now-targeting-employees-masquerading-as-crm-app" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434595, "ts_updated_at": 1775791469, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d62a50d4ee676cb51d65d10dbe2a66bf64ef3840.pdf", "text": "https://archive.orkl.eu/d62a50d4ee676cb51d65d10dbe2a66bf64ef3840.txt", "img": "https://archive.orkl.eu/d62a50d4ee676cb51d65d10dbe2a66bf64ef3840.jpg" } }