CyberHappenings logo
☰
🏠 Home 📂 Browse ℹī¸ About

New Android Trojan PhantomCard Targets Banking Customers in Brazil via NFC Relay Fraud

First reported
Last updated
📰 1 unique sources, 1 articles

Summary

Hide ▲

A new Android malware called PhantomCard is targeting banking customers in Brazil. The trojan abuses near-field communication (NFC) to conduct relay attacks, facilitating fraudulent transactions. PhantomCard is distributed via fake Google Play web pages mimicking card protection apps. Once installed, it requests victims to place their credit/debit card on the phone, transmitting the card data to an attacker-controlled NFC relay server. The malware then prompts victims to enter their PIN, allowing fraudsters to authenticate transactions as if the victim's card was physically present. The malware is part of a Chinese-originating malware-as-a-service (MaaS) offering known as NFU Pay, advertised on Telegram. The actor behind the malware, Go1ano developer, is a serial reseller of Android threats in Brazil and claims PhantomCard works globally and is undetectable.

Timeline

  1. 14.08.2025 14:06 📰 1 articles

    PhantomCard Android Trojan Targets Banking Customers in Brazil via NFC Relay Fraud

    A new Android malware called PhantomCard is targeting banking customers in Brazil. The trojan abuses near-field communication (NFC) to conduct relay attacks, facilitating fraudulent transactions. PhantomCard is distributed via fake Google Play web pages mimicking card protection apps. Once installed, it requests victims to place their credit/debit card on the phone, transmitting the card data to an attacker-controlled NFC relay server. The malware then prompts victims to enter their PIN, allowing fraudsters to authenticate transactions as if the victim's card was physically present. The malware is part of a Chinese-originating malware-as-a-service (MaaS) offering known as NFU Pay, advertised on Telegram. The actor behind the malware, Go1ano developer, is a serial reseller of Android threats in Brazil and claims PhantomCard works globally and is undetectable.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

HOOK Android Trojan Expands Capabilities with Ransomware Overlays and 107 Remote Commands

A new variant of the HOOK Android banking trojan has been discovered, featuring ransomware-style overlay screens to extort victims. This variant supports 107 remote commands, including new capabilities for capturing user gestures, stealing cryptocurrency wallet information, and displaying fake NFC overlays. The trojan is distributed via phishing websites, bogus GitHub repositories, and malicious APK files, posing a significant threat to financial institutions and users. The HOOK trojan is believed to be an offshoot of the ERMAC banking trojan, which had its source code leaked publicly. The trojan can display fake overlays on financial apps to steal credentials and abuse Android accessibility services for fraud and remote control. The latest version of HOOK includes commands for ransomware overlays, capturing user gestures, and stealing sensitive information like credit card details and lockscreen PINs. It also features transparent overlays to capture user gestures and screen-streaming sessions for real-time monitoring.

Open in new tab