New Android Trojan: PhantomCard Targets Banking Customers in Brazil
Cybersecurity researchers have recently identified a sophisticated new Android trojan named PhantomCard. This malware exploits near-field communication (NFC) technology to execute relay attacks, enabling fraudulent transactions specifically aimed at banking customers in Brazil.
How PhantomCard Operates
ThreatFabric, the cybersecurity firm that uncovered PhantomCard, explains that this malware intercepts NFC data from a victim’s bank card and relays it to the fraudster’s device. Interestingly, PhantomCard is based on a malware-as-a-service model hailing from China, specifically designed for NFC attacks.
Distribution Methods
PhantomCard is distributed through counterfeit Google Play web pages that mimic legitimate apps claimed to offer card protection. Two known variants of the app—"Proteção Cartões" with package names "com.nfupay.s145" and "com.rc888.baxi.English"—have surfaced. These fake sites utilize misleading positive reviews to lure potential victims into installing the app, although the exact methods employed to disseminate links to these pages remain unclear. However, it’s likely that tactics such as smishing (SMS phishing) are employed.
The Attack Process
Once an unsuspecting user installs PhantomCard, the app requests that they place their credit or debit card on the back of their phone. This prompts a deceptive message claiming, "Card Detected! Keep the card nearby until authentication is complete." In truth, the app relays the card data to a server controlled by the attackers, taking advantage of the NFC capabilities present in most modern smartphones.
After the card data is transmitted, PhantomCard prompts the victim for their PIN. The information is then sent to the cybercriminal, enabling them to authenticate transactions as if they were physically in possession of the victim’s card. This clever ruse effectively bridges the gap between the physical card and the point-of-sale (PoS) terminal or ATM that the attacker is near.
The Bigger Picture: Who’s Behind PhantomCard?
The individual or group responsible for PhantomCard has been linked to a "Go1ano developer," described by ThreatFabric as a "serial" reseller of Android threats in Brazil. This entity is associated with the Chinese malware-as-a-service outlet known as NFU Pay, advertised on platforms like Telegram. The Go1ano developer claims that PhantomCard operates globally and is compatible with any NFC-enabled PoS terminal, thereby enhancing the malware’s reach.
Understanding the Threat Landscape
PhantomCard is not an isolated incident; it’s part of a broader trend. ThreatFabric noted that NFU Pay, along with other underground services like SuperCard X and KingNFC, are actively exploited for NFC relay fraud. This opens avenues for numerous threats, particularly affecting local financial organizations by exposing them to a wider array of global attacks that might otherwise be deterred by language or cultural barriers.
Regional Impacts and Rising Concerns
The threat isn’t confined to Brazil. Recent reports have highlighted a similar spike in NFC fraud across Southeast Asia, particularly in markets where contactless payments are gaining traction. Cybercriminals are increasingly targeting regional banks, utilizing tools that clone stolen card data for unauthorized transactions.
Research indicates that tools such as Z-NFC, X-NFC, and SuperCard X allow attackers to perform these rapid fraud schemes. Given the nature of contactless payments, many low-value transactions do not require PIN verification, making it easier for these attacks to go unnoticed.
Other Malicious Android Activities
Adding to the concern, a separate cybersecurity firm, K7 Security, uncovered an Android malware campaign titled SpyBanker, specifically focused on banking users in India. This malware propagates as a customer service application and redirects calls to a number controlled by the attacker, allowing further exploitation of victims’ personal and banking details.
Additionally, the alarming trend of distributing malicious apps via phishing pages mimics legitimate banking interfaces, facilitating the theft of sensitive information such as names, card numbers, and even CVV codes. The prevalence of these tactics requires immediate vigilance from users who frequently engage with financial services through mobile applications.
Final Note
While Google has stated that no PhantomCard malware has been found in its Play Store and that users are generally protected by Google Play Protect, the reality indicates an ongoing battle against sophisticated threats in the mobile domain. The rise in NFC fraud demonstrates the necessity for enhanced vigilance, education, and protective measures for both users and institutions in the financial sector.
