New Android Trojan PhantomCard Exploits NFC for Fraud
Summary
Hide â˛
Show âŧ
A new Android trojan, PhantomCard, has been observed exploiting near-field communication (NFC) to facilitate fraudulent transactions. The malware targets banking customers in Brazil, instructing users to place their credit/debit cards on the back of their phones for verification. This action sends the card data to an attacker-controlled NFC relay server, which then passes the stolen details to money mules for use in contactless payment systems. The malware operates by tricking users into installing malicious apps that exploit NFC technology. Once installed, the app prompts users to place their cards on the phone, capturing the card details and transmitting them to the attackers. The stolen information is then used to create contactless payment methods, such as Apple Pay or Google Pay, enabling fraudulent transactions. This attack highlights the growing threat of NFC-based fraud and the need for enhanced security measures to protect mobile banking customers.
Timeline
-
18.08.2025 15:47 đ° 1 articles
PhantomCard Android Trojan Exploits NFC for Fraudulent Transactions
A new Android trojan, PhantomCard, has been observed exploiting near-field communication (NFC) to facilitate fraudulent transactions. The malware targets banking customers in Brazil, instructing users to place their credit/debit cards on the back of their phones for verification. This action sends the card data to an attacker-controlled NFC relay server, which then passes the stolen details to money mules for use in contactless payment systems. The malware operates by tricking users into installing malicious apps that exploit NFC technology. Once installed, the app prompts users to place their cards on the phone, capturing the card details and transmitting them to the attackers. The stolen information is then used to create contactless payment methods, such as Apple Pay or Google Pay, enabling fraudulent transactions.
Show sources
- ⥠Weekly Recap: NFC Fraud, Curly COMrades, N-able Exploits, Docker Backdoors & More â thehackernews.com â 18.08.2025 15:47
Information Snippets
-
PhantomCard is a new Android trojan that exploits NFC to conduct relay attacks.
First reported: 18.08.2025 15:47đ° 1 source, 1 articleShow sources
- ⥠Weekly Recap: NFC Fraud, Curly COMrades, N-able Exploits, Docker Backdoors & More â thehackernews.com â 18.08.2025 15:47
-
The malware targets banking customers in Brazil, instructing users to place their credit/debit cards on the back of their phones.
First reported: 18.08.2025 15:47đ° 1 source, 1 articleShow sources
- ⥠Weekly Recap: NFC Fraud, Curly COMrades, N-able Exploits, Docker Backdoors & More â thehackernews.com â 18.08.2025 15:47
-
The stolen card details are sent to an attacker-controlled NFC relay server and passed to money mules for use in contactless payment systems.
First reported: 18.08.2025 15:47đ° 1 source, 1 articleShow sources
- ⥠Weekly Recap: NFC Fraud, Curly COMrades, N-able Exploits, Docker Backdoors & More â thehackernews.com â 18.08.2025 15:47
-
The malware operates by tricking users into installing malicious apps that capture card details via NFC.
First reported: 18.08.2025 15:47đ° 1 source, 1 articleShow sources
- ⥠Weekly Recap: NFC Fraud, Curly COMrades, N-able Exploits, Docker Backdoors & More â thehackernews.com â 18.08.2025 15:47
-
The stolen information is used to create contactless payment methods, enabling fraudulent transactions.
First reported: 18.08.2025 15:47đ° 1 source, 1 articleShow sources
- ⥠Weekly Recap: NFC Fraud, Curly COMrades, N-able Exploits, Docker Backdoors & More â thehackernews.com â 18.08.2025 15:47
Similar Happenings
HOOK Android Trojan Expands Capabilities with Ransomware Overlays and 107 Remote Commands
A new variant of the HOOK Android banking trojan has been discovered, featuring ransomware-style overlay screens to extort victims. This variant supports 107 remote commands, including new capabilities for capturing user gestures, stealing cryptocurrency wallet information, and displaying fake NFC overlays. The trojan is distributed via phishing websites, bogus GitHub repositories, and malicious APK files, posing a significant threat to financial institutions and users. The HOOK trojan is believed to be an offshoot of the ERMAC banking trojan, which had its source code leaked publicly. The trojan can display fake overlays on financial apps to steal credentials and abuse Android accessibility services for fraud and remote control. The latest version of HOOK includes commands for ransomware overlays, capturing user gestures, and stealing sensitive information like credit card details and lockscreen PINs. It also features transparent overlays to capture user gestures and screen-streaming sessions for real-time monitoring.
Data breach at Auchan exposes sensitive information of hundreds of thousands of customers
French retailer Auchan experienced a cyberattack that exposed sensitive personal data of several hundred thousand customers. The compromised data includes full names, titles, postal addresses, email addresses, phone numbers, and loyalty card numbers. The breach did not affect bank data, passwords, or PIN numbers. The company has notified affected customers and the French Data Protection Authority (CNIL). Auchan has advised customers to be vigilant against potential phishing attacks using the stolen information. The incident follows similar breaches at other large French entities, but no evidence links these attacks to a coordinated campaign. This is the second data breach that Auchan has disclosed over the past year. The company sent the same notification to its customers in November 2024.
Allianz Life data breach affects 1.1 million customers via Salesforce compromise
Allianz Life, a U.S. insurance subsidiary of Allianz SE, experienced a data breach in July 2025. Hackers accessed a third-party cloud CRM system, stealing personal information of 1.1 million customers. The breach involved a malicious OAuth app linked to Salesforce instances, leading to the exfiltration of sensitive data. The extortion group ShinyHunters, tracked as UNC6040, claimed responsibility and leaked the stolen data. The breach is part of a broader campaign targeting multiple high-profile companies, including Google, Adidas, Workday, Qantas, Pandora, and Workiva. Allianz Life confirmed the breach but declined to provide additional details due to an ongoing investigation. Qantas Group executives reduced their short-term compensation by 15% due to the impact of the cyberattack on customers, which affected approximately 5.7 million passengers.