PhantomCard Android Trojan Targets Brazilian Banking Customers via NFC Relay Fraud
Summary
Hide β²
Show βΌ
A new Android trojan called PhantomCard targets Brazilian banking customers by abusing near-field communication (NFC) for relay attacks. The malware facilitates fraudulent transactions by relaying NFC data from victims' banking cards to fraudsters' devices. PhantomCard is distributed via fake Google Play web pages and requests victims to place their cards on the phone for verification, transmitting card data to an attacker-controlled server. The malware is linked to a Chinese malware-as-a-service offering known as NFU Pay, advertised on Telegram. The threat actor behind PhantomCard, Go1ano developer, is a serial reseller of Android threats in Brazil. The malware is part of a broader trend of NFC-enabled fraud targeting financial institutions in Southeast Asia and beyond.
Timeline
-
14.08.2025 14:06 π° 1 articles Β· β± 1mo ago
PhantomCard Android Trojan Targets Brazilian Banking Customers via NFC Relay Fraud
A new Android trojan called PhantomCard targets Brazilian banking customers by abusing near-field communication (NFC) for relay attacks. The malware facilitates fraudulent transactions by relaying NFC data from victims' banking cards to fraudsters' devices. PhantomCard is distributed via fake Google Play web pages and requests victims to place their cards on the phone for verification, transmitting card data to an attacker-controlled server. The malware is linked to a Chinese malware-as-a-service offering known as NFU Pay, advertised on Telegram. The threat actor behind PhantomCard, Go1ano developer, is a serial reseller of Android threats in Brazil. The malware is part of a broader trend of NFC-enabled fraud targeting financial institutions in Southeast Asia and beyond.
Show sources
- New Android Malware Wave Hits Banking via NFC Relay Fraud, Call Hijacking, and Root Exploits β thehackernews.com β 14.08.2025 14:06
Information Snippets
-
PhantomCard is an Android trojan that exploits NFC to conduct relay attacks.
First reported: 14.08.2025 14:06π° 1 source, 1 articleShow sources
- New Android Malware Wave Hits Banking via NFC Relay Fraud, Call Hijacking, and Root Exploits β thehackernews.com β 14.08.2025 14:06
-
The malware is distributed via fake Google Play web pages mimicking card protection apps.
First reported: 14.08.2025 14:06π° 1 source, 1 articleShow sources
- New Android Malware Wave Hits Banking via NFC Relay Fraud, Call Hijacking, and Root Exploits β thehackernews.com β 14.08.2025 14:06
-
PhantomCard requests victims to place their credit/debit cards on the phone for verification, transmitting card data to an attacker-controlled NFC relay server.
First reported: 14.08.2025 14:06π° 1 source, 1 articleShow sources
- New Android Malware Wave Hits Banking via NFC Relay Fraud, Call Hijacking, and Root Exploits β thehackernews.com β 14.08.2025 14:06
-
The malware is linked to a Chinese malware-as-a-service offering known as NFU Pay.
First reported: 14.08.2025 14:06π° 1 source, 1 articleShow sources
- New Android Malware Wave Hits Banking via NFC Relay Fraud, Call Hijacking, and Root Exploits β thehackernews.com β 14.08.2025 14:06
-
The threat actor, Go1ano developer, is a serial reseller of Android threats in Brazil.
First reported: 14.08.2025 14:06π° 1 source, 1 articleShow sources
- New Android Malware Wave Hits Banking via NFC Relay Fraud, Call Hijacking, and Root Exploits β thehackernews.com β 14.08.2025 14:06
-
PhantomCard is part of a broader trend of NFC-enabled fraud targeting financial institutions in Southeast Asia.
First reported: 14.08.2025 14:06π° 1 source, 1 articleShow sources
- New Android Malware Wave Hits Banking via NFC Relay Fraud, Call Hijacking, and Root Exploits β thehackernews.com β 14.08.2025 14:06
-
Google Play Protect automatically protects against known versions of this malware.
First reported: 14.08.2025 14:06π° 1 source, 1 articleShow sources
- New Android Malware Wave Hits Banking via NFC Relay Fraud, Call Hijacking, and Root Exploits β thehackernews.com β 14.08.2025 14:06
Similar Happenings
SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids
A fraudulent ad operation, SlopAds, has been identified, exploiting 224 Android apps to generate 2.3 billion ad bids daily. The apps, collectively downloaded 38 million times across 228 countries, use steganography and hidden WebViews to create fraudulent ad impressions and clicks. The operation was disrupted after Google removed the offending apps from the Play Store. The SlopAds campaign is notable for its sophisticated tactics, including conditional fraud execution and the use of AI-themed services for command and control. The fraudulent behavior is triggered only when apps are downloaded via ad clicks, making detection more challenging. The campaign's infrastructure includes multiple domains and a complex feedback loop designed to evade security researchers. The campaign's highest concentration of ad impressions originated from the United States (30%), followed by India (10%) and Brazil (7%).
Brokewell Android Malware Distributed via Fake TradingView Ads
A new campaign has been discovered distributing Brokewell Android malware through fake TradingView ads on Metaβs advertising platforms. The campaign targets cryptocurrency assets and has been active since at least July 22, 2025. The malware, which has been active since early 2024, features extensive capabilities including data theft, remote monitoring, and device control. The campaign uses localized ads and a malicious APK file to infect Android devices. The malware mimics an Android update request to steal device PINs and has a broad set of tools for monitoring, controlling, and stealing sensitive information. It targets cryptocurrency wallets, Google Authenticator codes, and banking credentials. The campaign is part of a larger operation that previously targeted Windows users through Facebook ads impersonating well-known brands. The campaign has run at least 75 malicious ads since July 22, 2025, reaching tens of thousands of users in the European Union alone.
TamperedChef Malware Campaign Targets Users via Fake PDF Editors
A cybercrime campaign using malvertising to distribute a new information stealer called TamperedChef has been discovered. The malware is disguised as a fake PDF editor, AppSuite PDF Editor, and is designed to steal sensitive data, including credentials and web cookies. The campaign began on June 26, 2025, with malicious capabilities activated on August 21, 2025. The malware operates as a backdoor, supporting various features for data exfiltration and system manipulation. The campaign involves multiple fraudulent websites promoting the PDF editor, which, once installed, makes covert requests to an external server to drop the PDF editor program and set up persistence on the host. The malware gathers information about installed security products and attempts to terminate web browsers to access sensitive data. The campaign includes more than 50 domains and apps signed with fraudulent certificates from at least four companies. The threat actor has been active since at least August 2024, promoting other tools like OneStart and Epibrowser, which can turn hosts into residential proxies.
HOOK Android Trojan Adds Ransomware Overlays, Expands to 107 Remote Commands
A new variant of the HOOK Android banking trojan has been discovered, featuring ransomware-style overlay screens to display extortion messages. This variant can deploy full-screen ransomware overlays, steal credentials, and execute 107 remote commands, including capturing user gestures and mimicking NFC and Google Pay interfaces. HOOK is distributed through phishing websites, GitHub repositories, and other malicious channels, posing a significant risk to financial institutions and users. The malware is believed to be an offshoot of the ERMAC banking trojan, which had its source code leaked. The new variant includes features to send SMS messages, stream the victim's screen, capture photos, and steal cryptocurrency wallet information. The evolution of HOOK highlights the convergence of banking trojans with spyware and ransomware tactics.