Attackers commenced the operation with the deployment of dropper that could evade protections in Android 13 and newer devices before displaying a fraudulent CRM login page requesting an employee ID, which when performed facilitates the installation of Chameleon, a report from Threat Fabric showed. With the appearance of another phony site seeking employee credentials, Chameleon could proceed with gathering of sensitive details, reported Threat Fabric researchers.

Source: SC Magazine