PhantomCard, a malicious Android app posing as a card protection service, is being used to steal contactless payment card data and facilitate remote fraudulent transactions, according to GBHackers News. According to analysts from ThreatFabric, the Near Field Communication (NFC)-based trojan is currently active in Brazil, but is built to be adapted for other markets. Distributed through fake websites imitating Google Play, it prompts victims to tap their bank cards for verification, secretly sending NFC data to a server controlled by attackers. A command-and-control server receives the information that has been gathered if the operation is successful, alerting the attackers that the credit card is ready for fraudulent use. This data is then used to simulate real-time transactions at distant point-of-sale terminals or automated teller machines, with the capability to request and transmit personal identification numbers for larger withdrawals or purchases. Analysis revealed PhantomCard is a localized adaptation of the Chinese-developed NFU Pay Malware-as-a-Service platform, rebranded and distributed by Go1ano developer, a Brazilian threat actor. Indicators such as the command-and-control endpoint /baxi/b the Chinese word for Brazil point to region-specific customization, raising concerns that similar variants could be adapted for other markets. Experts warned that this model is making advanced mobile fraud tools more accessible in regional underground markets.
Malware, Threat Intelligence
Contactless card data theft attributed to PhantomCard malware
(Adobe Stock)
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds