New Android Malware Wave Hits Banking via NFC Relay Fraud, Call Hijacking, and Root Exploits
Cybersecurity researchers have disclosed a new Android trojan called PhantomCard that abuses near-field communication (NFC) to conduct relay attacks for facilitating fraudulent transactions in attacks targeting banking customers in Brazil.
"PhantomCard relays NFC data from a victim's banking card to the fraudster's device," ThreatFabric said in a report. "PhantomCard is based on Chinese-originating NFC relay malware-as-a-service."
The Android malware, distributed via fake Google Play web pages mimicking apps for card protection, goes by the name "Proteção Cartões" (package name "com.nfupay.s145" or "com.rc888.baxi.English").
The bogus pages also feature deceptive positive reviews to persuade victims into installing the app. It's currently not known how links to these pages are distributed, but it likely involves smishing or a similar social engineering technique.
Once the app is installed and opened, it requests victims to place their credit/debit card on the back of the phone to begin the verification process, at which point the user interface displays the message: "Card Detected! Keep the card nearby until authentication is complete."
In reality, the card data is relayed to an attacker-controlled NFC relay server by taking advantage of the built-in NFC reader built into modern devices. The PhantomCard-laced app then requests the victim to enter the PIN code with the goal of transmitting the information to the cybercriminal so as to authenticate the transaction.
"As a result, PhantomCard establishes a channel between the victim's physical card and the PoS terminal / ATM that the cybercriminal is next to," ThreatFabric explained. "It allows the cybercriminal to use the victim's card as if it was in their hands."
Similar to SuperCard X, there exists an equivalent app on the mule-side that's installed on their device to receive the stolen card information and ensure seamless communications between the PoS terminal and the victim's card.
The Dutch security company said the actor behind the malware, Go1ano developer, is a "serial" reseller of Android threats in Brazil, and that PhantomCard is actually the handiwork of a Chinese malware-as-a-service offering known as NFU Pay that's advertised on Telegram.
Go1ano developer, in their own Telegram channel, claims PhantomCard works globally, stating it is 100% undetectable and is compatible with all NFC-enabled point-of-sale (PoS) terminal devices. They also claim to be a "trusted partner" for other malware families like BTMOB and GhostSpy in the country.
It's worth noting that NFU Pay is one of the many illicit services peddled on the underground that offer similar NFC relay capabilities, such as SuperCard X, KingNFC, and X/Z/TX-NFC.
"Such threat actors pose additional risks to local financial organizations as they open the doors for a wider variety of threats from all over the world, which could have potentially stayed away from certain regions due to language and cultural barriers, specifics of financial system, lack of cash-out ways," ThreatFabric said.
"This, consequently, complicates the threat landscape for local financial organizations and calls out for proper monitoring of the global threats and actors behind it targeting the organization."
In a report published last month warning of a spike in NFC-enabled fraud in the Philippines, Resecurity said Southeast Asia has become a testing ground for NFC fraud, with bad actors targeting regional banks and financial service providers.
"With tools such as Z-NFC, X-NFC, SuperCard X, and Track2NFC, attackers can clone stolen card data and perform unauthorized transactions using NFC-enabled devices," Resecurity said.
"These tools are widely available in underground forums and private messaging groups. The resulting fraud is difficult to detect, as the transactions appear to originate from trusted, authenticated devices. In markets like the Philippines, where contactless payment usage is rising and low-value transactions often bypass PIN verification, such attacks are harder to trace and stop in real time."
The disclosure comes as K7 Security uncovered an Android malware campaign dubbed SpyBanker aimed at Indian banking users that's likely distributed to users via WhatsApp under the guise of a customer help service app.
"Interestingly, this Android SpyBanker malware edits the 'Call Forward Number' to a hard-coded mobile number, controlled by the attacker, by registering a service called 'CallForwardingService' and redirects the user's calls," the company said. "Incoming calls to the victims when left unattended are diverted to the call forwarded number to carry out any desired malicious activity."
Furthermore, the malware comes fitted with capabilities to collect victims' SIM details, sensitive banking information, SMS messages, and notification data.
Indian banking users have also been targeted by Android malware that's designed to siphon financial information, while simultaneously dropping the XMRig cryptocurrency miner on compromised devices. The malicious credit card apps are distributed via convincing phishing pages that use real assets taken from official banking websites.
The list of malicious apps is as follows -
- Axis Bank Credit Card (com.NWilfxj.FxKDr)
- ICICI Bank Credit Card (com.NWilfxj.FxKDr)
- IndusInd Credit Card (com.NWilfxj.FxKDr)
- State Bank of India Credit Card (com.NWilfxj.FxKDr)
The malware is designed to display a bogus user interface that prompts victims to enter their personal information, including names, card numbers, CVV codes, expiry dates, and mobile numbers. A notable aspect of the app is its ability to listen to specific messages sent via Firebase Cloud Messaging (FCM) to trigger the mining process.
"The app delivered through these phishing sites functions as a dropper, meaning it initially appears harmless but later dynamically loads and executes the actual malicious payload," McAfee researcher Dexter Shin said. "This technique helps evade static detection and complicates analysis."
"These phishing pages load images, JavaScript, and other web resources directly from the official websites to appear legitimate. However, they include additional elements such as 'Get App' or 'Download' buttons, which prompt users to install the malicious APK file."
The findings also follow a report from Zimperium zLabs detailing how rooting frameworks like KernelSU, APatch, and SKRoot can be used to gain root access and escalate privileges, allowing an attacker to gain full control of Android devices.
The mobile security company said it discovered in mid-2023 a security flaw in KernelSU (version 0.5.7) that it said could allow attackers to authenticate as the KernelSU manager and completely compromise a rooted Android device via a malicious application already installed on it that also bundles the official KernelSU manager APK.
However, an important caveat to pull off this attack is that it's only effective if the threat actor application is executed before the legitimate KernelSU manager application.
"Because system calls can be triggered by any app on the device, strong authentication and access controls are essential," security researcher Marcel Bathke said. "Unfortunately, this layer is often poorly implemented – or entirely neglected – which opens the door to serious security risks. Improper authentication can allow malicious apps to gain root access and fully compromise the device."
