Android malware targeting banking applications through NFC relay scams and call hijacking

Cybersecurity researchers have identified a new Android trojan named PhantomCard, which exploits Near-Field Communication (NFC) technology to execute relay attacks aimed at facilitating fraudulent transactions targeting banking customers in Brazil. According to ThreatFabric, PhantomCard relays NFC data from a victim’s banking card to the fraudster’s device and is based on Chinese-originating NFC relay malware-as-a-service. The malware is distributed through counterfeit Google Play web pages that mimic legitimate card protection apps, specifically under the name “Proteção Cartões” with package names “com.nfupay.s145” or “com.rc888.baxi.English.” These fraudulent pages feature misleading positive reviews to entice victims into downloading the app. While the method of distributing links to these pages remains unclear, it is likely that smishing or similar social engineering techniques are employed.

Once installed, the app prompts victims to place their credit or debit card on the back of their phone for verification, displaying a message that falsely claims, “Card Detected! Keep the card nearby until authentication is complete.” In reality, the card data is transmitted to an attacker-controlled NFC relay server, leveraging the built-in NFC reader of modern devices. The PhantomCard app then requests the victim’s PIN code, aiming to send this information to the cybercriminal for transaction authentication. This establishes a direct channel between the victim’s physical card and the Point-of-Sale (PoS) terminal or ATM that the fraudster is near. ThreatFabric notes that the Go1ano developer, a known reseller of Android threats in Brazil, is behind PhantomCard, which is part of a Chinese malware-as-a-service offering called NFU Pay, advertised on Telegram. The developer claims that PhantomCard is globally operational, undetectable, and compatible with all NFC-enabled PoS devices, posing significant risks to local financial institutions by introducing a broader range of threats that could bypass regional barriers.