PhantomCard: The New Android Malware Using NFC to Steal Your Money
A new Android malware campaign has emerged, targeting banking customers in Brazil, India, and Southeast Asia, combining contactless fraud via NFC, call interception, and the exploitation of device vulnerabilities.
Researchers at ThreatFabric have identified a Trojan dubbed PhantomCard, which leverages near-field communication to execute relay attacks. Criminals capture victims’ card data and transmit it through a controlled server to an accomplice’s device positioned near a payment terminal or ATM. This creates a proxy channel that enables fraudulent transactions as though the physical card were present.
PhantomCard is distributed through fake Google Play pages, disguised as an application called Proteção Cartões and bolstered by fabricated positive reviews. Once installed, it prompts users to tap their bank card against the phone “for verification” and enter their PIN, which is then transmitted to the attacker. A corresponding application on the accomplice’s device synchronizes with the payment terminal to complete the fraud.
Security is not a luxury—it is a necessity.
Follow us for more insights.
According to ThreatFabric, development traces back to a Brazilian vendor of malicious tools known as Go1ano, who relies on the Chinese platform NFU Pay, which offers comparable services under a malware-as-a-service (MaaS) model. Comparable solutions include SuperCard X, KingNFC, and X/Z/TX-NFC. Experts warn that such services lower the barriers of language and infrastructure, thereby broadening the scope of attacks globally.
Reports by Resecurity in July highlighted that Southeast Asian countries—particularly the Philippines—have become a testing ground for contactless fraud. The widespread adoption of NFC payments, especially for small purchases that bypass PIN verification, makes unauthorized transactions easier to execute and harder to detect.
Simultaneously, K7 Security uncovered an Indian campaign involving the Android malware SpyBanker, distributed via WhatsApp under the guise of a banking support app. The malware modifies call forwarding numbers to predetermined ones in order to intercept incoming calls, while harvesting SIM data, banking credentials, SMS messages, and notifications.
Another attack vector in India involves fake credit apps branded under the names of major banks and downloaded from phishing pages. According to McAfee, these APK files act as droppers, downloading a malicious payload post-installation. Victims are presented with an interface mimicking legitimate banking apps, prompting them to enter full personal and financial details, including card number, CVV, expiration date, and phone number.
The malware also embeds a cryptocurrency miner (XMRig), triggered by specific commands delivered via Firebase Cloud Messaging. To bolster credibility, the phishing pages embed images and scripts from real banking sites, while download buttons lead to compromised APKs.
The diversity of these tactics underscores how mobile devices have become the epicenter of financial cyberattacks, where misplaced trust in familiar channels of communication and payment has turned into the weakest link in user protection.
