CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

PhantomCard Android Trojan Targets Brazilian Banking Customers via NFC Relay Attacks

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A new Android trojan called PhantomCard is targeting Brazilian banking customers using NFC relay attacks. The malware mimics legitimate card protection apps to steal card data and PINs, enabling fraudulent transactions. Distributed via fake Google Play pages, PhantomCard is part of a Chinese malware-as-a-service offering and is linked to a known reseller of Android threats in Brazil. The malware establishes a channel between the victim's card and a PoS terminal or ATM controlled by the attacker, facilitating unauthorized transactions. Similar NFC relay malware, such as SuperCard X and KingNFC, are also active in the region, complicating the threat landscape for local financial organizations.

Timeline

  1. 14.08.2025 14:06 1 articles · 1mo ago

    PhantomCard Android Trojan Targets Brazilian Banking Customers via NFC Relay Attacks

    A new Android trojan called PhantomCard is targeting Brazilian banking customers using NFC relay attacks. The malware mimics legitimate card protection apps to steal card data and PINs, enabling fraudulent transactions. Distributed via fake Google Play pages, PhantomCard is part of a Chinese malware-as-a-service offering and is linked to a known reseller of Android threats in Brazil. The malware establishes a channel between the victim's card and a PoS terminal or ATM controlled by the attacker, facilitating unauthorized transactions. Similar NFC relay malware, such as SuperCard X and KingNFC, are also active in the region, complicating the threat landscape for local financial organizations.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

ERMAC V3.0 Banking Trojan Source Code Leak Exposes Full Malware Infrastructure

The Hook Android banking trojan, an offshoot of ERMAC, has evolved to include ransomware-style overlays and supports 107 remote commands. The malware targets financial applications and is distributed via phishing websites and GitHub repositories. The source code leak of ERMAC V3.0 in March 2024 exposed its full infrastructure, revealing critical weaknesses that can be used by defenders to track and disrupt active operations. ERMAC V3.0, an Android banking trojan, was first documented in September 2021 by ThreatFabric as an evolution of the Cerberus banking trojan operated by a threat actor known as 'BlackRock'. ERMAC v2.0 was spotted by ESET in May 2022, targeting 467 apps, up from 378 in the previous version. In January 2023, ThreatFabric observed BlackRock promoting a new Android malware tool named Hook, which appeared to be an evolution of ERMAC.

Open in new tab