PhantomCard Android trojan NFC relay fraud activity
Malware Activity
Summary
Hide ▲
Show ▼
The PhantomCard Android trojan is using NFC relay attacks to move banking card data through attacker infrastructure and enable fraudulent transactions against banking customers in Brazil. The malware is distributed through fake Google Play pages posing as card-protection apps and then prompts victims to place a card near the phone and enter a PIN. Its design lets criminals relay the information to a nearby PoS terminal / ATM and spend the card as if it were physically present.
Related Happenings
RelayNFC Android NFC relay malware targeting Brazilian banking users
Malware Activity
First: 03.12.2025 17:32
Last: 03.12.2025 17:32
Sources 1
About this happening:
The **RelayNFC** malware is actively targeting **Brazilian banking users** with **Android**-based **NFC relay attacks**, creating a path to steal contactless payment data and enab...
RelayNFC Android NFC relay malware targeting Brazilian banking users
Malware ActivityAbout this happening: The **RelayNFC** malware is actively targeting **Brazilian banking users** with **Android**-based **NFC relay attacks**, creating a path to steal contactless payment data and enab...
NGate / NFSkate NFC relay campaign targeting Polish bank users
Campaign
First: 11.11.2025 13:44
Last: 11.11.2025 13:44
Sources 1
About this happening:
The **NGate / NFSkate** campaign is using **phishing emails or SMS** to trick **users of Polish banks** into installing Android malware that relays NFC traffic and enables **unaut...
NGate / NFSkate NFC relay campaign targeting Polish bank users
CampaignAbout this happening: The **NGate / NFSkate** campaign is using **phishing emails or SMS** to trick **users of Polish banks** into installing Android malware that relays NFC traffic and enables **unaut...
Timeline
-
14.08.2025 14:06 1 articles · 9mo ago
ThreatFabric discloses PhantomCard NFC relay malware targeting banking customers in Brazil
Initial DisclosureThreatFabric disclosed PhantomCard, an Android trojan targeting banking customers in Brazil by relaying NFC card data for fraudulent transactions. The malware is distributed through fake Google Play web pages that mimic card-protection apps under the name Proteção Cartões, uses package names com.nfupay.s145 and com.rc888.baxi.English, and prompts victims to place a credit or debit card near the phone and enter a PIN while card data is forwarded to an attacker-controlled NFC relay server and a mule-side app for use at a PoS terminal or ATM. ThreatFabric also described PhantomCard as based on Chinese-originating NFC relay malware-as-a-service and linked it to NFU Pay advertised on Telegram.
Show sources
- New Android Malware Wave Hits Banking via NFC Relay Fraud, Call Hijacking, and Root Exploits — thehackernews.com — 14.08.2025 14:06