Cybersecurity researchers have uncovered a new wave of Android malware, dubbed PhantomCard, which exploits near-field communication (NFC) to conduct relay attacks that enable fraudulent banking transactions in Brazil.

PhantomCard operates by relaying NFC data from victims’ banking cards to devices controlled by attackers. The malware is based on a Chinese-origin NFC relay malware-as-a-service platform, and is distributed through fake Google Play pages posing as legitimate card protection apps, often under names like Proteção Cartões. These pages include fake positive reviews to lure users into installing the malicious app, with distribution likely relying on smishing or other social engineering tactics.

Once installed, the app instructs users to place their credit or debit card on the back of their phone, displaying a message like “Card Detected! Keep the card nearby until authentication is complete.” Meanwhile, the card data is secretly transmitted to an attacker-controlled NFC relay server. Victims are then prompted to enter their PIN codes, giving attackers the information needed to authenticate and execute fraudulent transactions.

This setup establishes a direct channel between the victim’s physical card and the point-of-sale (PoS) terminal or ATM used by the attacker, essentially allowing the cybercriminal to use the card remotely. An associated app on the “mule” device ensures smooth communication between the PoS and the stolen card, similar to previous malware campaigns like SuperCard X.

Researchers have identified the developer behind PhantomCard, known as Go1ano, as a prolific reseller of Android threats in Brazil. PhantomCard itself is linked to the Chinese NFU Pay malware-as-a-service, promoted on Telegram and marketed as globally undetectable, compatible with all NFC-enabled PoS devices, and a “trusted partner” for other malware families like BTMOB and GhostSpy.

The rise of NFC relay malware, along with other threats like SpyBanker targeting India, highlights the growing complexity of mobile banking fraud. SpyBanker, for example, manipulates call forwarding to intercept incoming calls while collecting sensitive banking data, SMS messages, and SIM details. Some malware even deploys cryptocurrency miners like XMRig on infected devices, while phishing apps replicate official banking pages to trick users into revealing personal information.

Additionally, attackers are increasingly exploiting root frameworks like KernelSU, APatch, and SKRoot to escalate privileges on Android devices. By compromising the root access layer, malicious apps can gain full control over the device if executed before the legitimate manager application, underscoring the importance of strong authentication and access controls.

The emergence of these threats demonstrates the evolving sophistication of Android malware campaigns and the need for financial institutions and users to implement rigorous security measures, monitor global threat activity, and remain vigilant against advanced mobile fraud techniques.

Source: https://thehackernews.com/2025/08/new-android-malware-wave-hits-banking.html