Chameleon malware is attacking restaurants in Canada and Europe


The infamous device takeover malware has made a comeback disguised as a Customer Relationship Management (CRM) app.

Chameleon malware is back with a new campaign targeting an international restaurant chain, focusing on the European and Canadian regions.

First spotted by Mobile Threat Intelligence analysts at Threat Fabric, the device takeover trojan is this time masquerading as a restaurant CRM app and targeting hospitality workers and potentially B2C business employees. The report does not specify which Canadian restaurant chain has been targeted by the malware campaign.

chameleon malware
Source: Threat Fabric

The analysts write, “If the attackers succeed in infecting a device with access to corporate banking, Chameleon will gain access to business banking accounts and pose a significant risk to the organization.”

“The increased likelihood of such access for employees whose roles involve CRM is the likely reason behind the choice of masquerading during this latest campaign.”

Malware can bypass Android 13+ restrictions and install Chameleon payload on the user's device.

chameleon malware
Source: Threat Fabric

Once loaded, the dropper displays a fake page masquerading as a CRM login page, requesting the Employee ID. When an employee inputs the ID, a message pops up asking to reinstall the application when, in reality, Chameleon is being installed.

After installation, a fake website is loaded, again asking for the employee's credentials. As Chameleon malware is already running in the background, it can also collect credentials and other sensitive information using keylogging.

chameleon malware
Source: Threat Fabric

Such information can be used in further attacks, or malicious actors can monetize it by selling it on underground forums.

Discovered in December 2022, the Chameleon Trojan has emerged as a significant threat. It has targeted the Android ecosystem, with a specific focus on users in Australia and Poland.

The malware enabled threat actors to bypass biometric security and steal PINs and data. The trojan malware can mimic legitimate apps and trick users into granting them permission. Once it has access to any device, it can monitor its activity and intercept credentials.