PhantomCard Android Trojan Uses NFC Relay to Enable Fraudulent Banking Transactions in Brazil

Security researchers on Monday disclosed PhantomCard, a new Android trojan that abuses near-field communication (NFC) to conduct relay attacks and facilitate fraudulent transactions against banking customers in Brazil. The analysis, attributed to ThreatFabric, describes PhantomCard as an NFC-driven Android malware-as-a-service linked to a broader ecosystem of card-skimming tools. ThreatFabric said the malware relays data from a victim’s card to the attacker’s device, creating a live bridge to the victim’s card data.

Once installed, PhantomCard relays the card’s information to an attacker-controlled NFC relay server, exploiting the native NFC reader in modern smartphones. The malicious app then prompts the user to enter their PIN, with the attacker using the intercepted data to authenticate transactions. ThreatFabric described this technique as effectively placing the victim’s card in a covert line with a nearby POS terminal or ATM, enabling the cybercriminal to use the card as if it were in their own possession.

In its campaigns, the malware is distributed via fake Google Play web pages that mimic legitimate card-protection apps. The apparent app, named Proteção Cartões (package names “com.nfupay.s145” or “com.rc888.baxi.English”), employs deceptive positive reviews to persuade victims to install it. The distribution method may rely on social-engineering techniques such as smishing to direct users to the fraudulent pages.

The operation is linked to a broader ecosystem, including a mule-side app designed to receive stolen card details and ensure seamless communication with the payment terminal. Threat actors behind PhantomCard market the service as globally compatible with NFC-enabled POS devices. Go1ano, the developer associated with the threat, has advertised PhantomCard as a universal, 100% undetectable malware-as-a-service offered on networks like Telegram, and is described as a reseller of other Android threats in Brazil. While the threat is framed as globally deployable, the exact distribution channels for the initial infection remain under investigation.

Separately, researchers noted that NFC-enabled fraud has seen a surge in other regions. Resecurity cautioned that Southeast Asia, and specifically the Philippines, has become a testing ground for NFC fraud, with attackers targeting regional banks and financial service providers. Tools cited in the report, including Z-NFC, X-NFC, SuperCard X, and Track2NFC, enable cloning of card data and unauthorized transactions via NFC-capable devices. Resecurity said these tools are widely available in underground forums and private groups, complicating real-time detection and attribution during fraud campaigns.

Security researchers also highlighted related Android threats such as SpyBanker, identified by K7 Security, which targeted Indian banking users and operated via phishing pages that disguise malicious APKs as official banking apps. K7 Security noted the malware could redirect calls and exfiltrate banking data, augmenting fraud capabilities beyond NFC-based attacks. The campaign also included a broader set of banking-targeted modules, including attempts to mine cryptocurrency on compromised devices. McAfee’s analysis of Indian banking-focused Android threats provides additional context on how fake card-related apps can serve as a dropper for malicious payloads. McAfee said the dropper technique helps evade static detection and complicates analysis.

Experts also warn that rooting frameworks pose additional risks. Zimperium zLabs described how tools like KernelSU, APatch, and SKRoot can be leveraged to gain root access and escalate privileges on compromised devices, enabling attackers to take full control. The firm noted a security flaw in KernelSU that could allow attackers to authenticate as the KernelSU manager and compromise a rooted device via a malicious app bundled with the official KernelSU manager APK, though exploitation requires specific timing relative to the legitimate app. Zimperium urged strong authentication and access controls to mitigate such risks.