CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

PhantomCard Android Trojan Targets Brazilian Banking Customers via NFC Relay Attacks

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A new Android trojan called PhantomCard is targeting Brazilian banking customers using NFC relay attacks. The malware mimics legitimate card protection apps to steal card data and PINs, enabling fraudulent transactions. Distributed via fake Google Play pages, PhantomCard is part of a Chinese malware-as-a-service offering and is linked to a known reseller of Android threats in Brazil. The malware establishes a channel between the victim's card and a PoS terminal or ATM controlled by the attacker, facilitating unauthorized transactions. Similar NFC relay malware, such as SuperCard X and KingNFC, are also active in the region, complicating the threat landscape for local financial organizations.

Timeline

  1. 14.08.2025 14:06 1 articles · 1mo ago

    PhantomCard Android Trojan Targets Brazilian Banking Customers via NFC Relay Attacks

    A new Android trojan called PhantomCard is targeting Brazilian banking customers using NFC relay attacks. The malware mimics legitimate card protection apps to steal card data and PINs, enabling fraudulent transactions. Distributed via fake Google Play pages, PhantomCard is part of a Chinese malware-as-a-service offering and is linked to a known reseller of Android threats in Brazil. The malware establishes a channel between the victim's card and a PoS terminal or ATM controlled by the attacker, facilitating unauthorized transactions. Similar NFC relay malware, such as SuperCard X and KingNFC, are also active in the region, complicating the threat landscape for local financial organizations.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Klopatra Android Trojan Conducts Nighttime Bank Transfers

A new Android Trojan named Klopatra has been identified, capable of performing unauthorized bank transfers while the device is inactive. The malware targets users in Italy and Spain, with over 3,000 devices infected. Klopatra disguises itself as the Mobdro streaming app and IPTV applications, leveraging their popularity to bypass security measures. It employs advanced techniques to evade detection and analysis, including anti-sandboxing methods, a commercial packer, and Hidden Virtual Network Computing (VNC) for remote control. The Trojan operates during nighttime hours, draining victims' bank accounts without alerting them. Klopatra uses Accessibility Services to gain extensive control over the device, allowing attackers to simulate user interactions remotely. It captures screenshots, records screen activity, and overlays fake login screens to steal credentials. The malware checks for device inactivity and charging status before executing its operations, ensuring the victim remains unaware until the next day. The malware is operated by a Turkish-speaking criminal group as a private botnet, with 40 distinct builds discovered since March 2025. The malware integrates Virbox, a commercial-grade code protector, to obstruct reverse-engineering and analysis. It uses native libraries to reduce its Java/Kotlin footprint and employs NP Manager string encryption in recent builds. Klopatra features several anti-debugging mechanisms, runtime integrity checks, and emulator detection capabilities. The malware supports all required remote actions for performing manual bank transactions, including simulating taps, swiping, and long-pressing. Klopatra uses Cloudflare to hide its digital tracks, but a misconfiguration exposed origin IP addresses, linking the C2 servers to the same provider. The malware has been linked to two campaigns, each counting 3,000 unique infections.

Open in new tab

ERMAC V3.0 Banking Trojan Source Code Leak Exposes Full Malware Infrastructure

The Hook Android banking trojan, an offshoot of ERMAC, has evolved to include ransomware-style overlays and supports 107 remote commands. The malware targets financial applications and is distributed via phishing websites and GitHub repositories. The source code leak of ERMAC V3.0 in March 2024 exposed its full infrastructure, revealing critical weaknesses that can be used by defenders to track and disrupt active operations. ERMAC V3.0, an Android banking trojan, was first documented in September 2021 by ThreatFabric as an evolution of the Cerberus banking trojan operated by a threat actor known as 'BlackRock'. ERMAC v2.0 was spotted by ESET in May 2022, targeting 467 apps, up from 378 in the previous version. In January 2023, ThreatFabric observed BlackRock promoting a new Android malware tool named Hook, which appeared to be an evolution of ERMAC.

Open in new tab