Researchers from Threatfabric have uncovered a new malicious campaign known as Chameleon, targeting employees in the hospitality industry. Analysis of files obtained from Virustotal has revealed that the attacks are specifically aimed at organizations within the hospitality sector, with mentions of a Canadian restaurant network operating internationally.
The filenames of the malicious files suggest a deliberate targeting of the restaurant business and potentially a wider Business-to-Consumer (B2C) sector. Successful infection of devices that have access to corporate bank accounts could give Chameleon control over business finances, posing a significant threat to affected organizations.
Chameleon first came to light in December 2022, targeting banking applications in Europe under the guise of Chameleon Android Vrednens. In April 2023, Chameleon was discovered masquerading as various entities, including an Australian cryptocurrency exchange, an Australian government agency, and a Polish bank.
The latest version of Chameleon features a new type of dropper that can bypass security measures in Android 13 and later versions, marking a significant evolution in attacker capabilities. The dropper presents a fake CRM login screen to employees, leading them to unknowingly install the Chameleon component on their devices.
Chameleon is designed to evade Android’s security measures and stealthily collect entered account information and other confidential data. This poses a serious threat, especially on corporate smartphones used within the hotel industry, as the stolen information could be used for future attacks or sold on the dark web.
Furthermore, researchers have discovered that Chameleon attacks are not limited to the hospitality industry and also target financial institutions, disguising the harm under the pretense of a security application for fake certificate installations. This highlights the evolving tactics of malicious software and underscores the importance of robust cybersecurity measures.