A new and sophisticated Android trojan, dubbed PhantomCard, has been identified by cybersecurity researchers as a significant threat to banking customers in Brazil. This malware distinguishes itself by leveraging near-field communication (NFC) technology to execute a series of relay attacks, effectively bridging the gap between a victim’s physical banking card and a cybercriminal’s device. This malicious scheme allows fraudsters to carry out unauthorized transactions as if they were in possession of the victim’s card. The discovery of PhantomCard highlights a growing trend of malware-as-a-service (MaaS) offerings and the intricate social engineering tactics used to distribute them.
The distribution of PhantomCard relies on highly deceptive social engineering techniques. The trojan is disguised within a fake app called “Proteção Cartões” (Card Protection), which is spread through bogus Google Play web pages. These fraudulent pages are meticulously designed to mimic the authentic app store, complete with fabricated positive reviews intended to build a sense of trust and legitimacy. While the exact methods of distributing links to these deceptive pages are not fully known, it is highly probable that attackers utilize smishing (SMS phishing) or other similar social engineering campaigns to lure unsuspecting victims into downloading the malicious app. This initial stage is crucial, as it sets the foundation for the subsequent data theft.
Once a victim is successfully tricked into installing the app and launching it, the malware initiates its core deceptive function. The app prompts the user to place their credit or debit card on the back of their phone for a supposed “verification process.” A message like “Card Detected! Keep the card nearby until authentication is complete” is displayed, reinforcing the illusion of a legitimate security check. However, this is merely a cover for the malware’s true purpose. As soon as the card is placed, PhantomCard activates the device’s built-in NFC reader to capture the card’s data. This information is then immediately relayed to an attacker-controlled NFC server, effectively creating a direct channel between the victim’s card and the fraudster.
The final step in the attack chain involves a request for the victim’s PIN code. After the card data has been relayed, the app asks the user to enter their PIN, claiming it is necessary to complete the authentication. The victim, still under the impression of a valid security procedure, provides this crucial piece of information, which is then transmitted to the cybercriminal. With both the card data and the PIN in their possession, the attacker can now use a companion app on their own device to complete transactions at a point-of-sale (PoS) terminal or ATM. This system, which bears a resemblance to other NFC relay malware like SuperCard X, allows the criminal to bypass physical card presence requirements, making them capable of using the victim’s card as if it were physically in their hands.
The developer behind this sophisticated operation has been identified as Go1ano, a known reseller of Android threats in Brazil. According to security researchers at ThreatFabric, Go1ano is a “serial” cybercriminal who promotes PhantomCard as a global MaaS offering. The malware itself is believed to be the product of a Chinese MaaS operation called NFU Pay, which is advertised on platforms like Telegram. Go1ano has publicly claimed that PhantomCard is “100% undetectable” and compatible with all NFC-enabled PoS terminals, further promoting its criminal utility. This connection to a broader criminal network and the claims of global functionality underscore the serious and widespread nature of this new cybersecurity threat.
Reference:
