ThreatFabric disclosed PhantomCard, an Android banking trojan in Brazil that performs NFC relay fraud by prompting users to tap cards and then capturing/transmitting card data and PINs to criminals. The campaign is delivered via fake Google Play pages, operated as a Chinese-origin Malware-as-a-Service enabling affiliate-driven regionalized attacks. #PhantomCard #ProteçãoCartões
Keypoints
- PhantomCard is an Android banking trojan that conducts NFC relay fraud by intercepting card data when victims tap cards to their devices.
- The malware is distributed as a fake “Proteção Cartões” app on counterfeit Google Play Store pages with fabricated positive reviews.
- Once installed, PhantomCard captures NFC data without extra permissions and also prompts users to provide their PIN to enable real-time POS/ATM fraud.
- The campaign is powered by a Chinese-origin Malware-as-a-Service (MaaS), allowing affiliates to create customized, regionally targeted variants focused on Brazil.
- Zimperium’s MTD and zDefend detected 100% of reported samples and found 8 additional related samples, demonstrating effective zero-day dynamic detection.
- NFC relay transactions appear legitimate to banks, making traditional fraud detection less effective and increasing risk to financial institutions with Brazilian customers.
- Organizations are advised to deploy mobile defenses that block overlay tactics, detect inappropriate NFC interactions, and intercept suspicious on-device C2 communications.
MITRE Techniques
- [T1402 ] Abuse NFC functionality – PhantomCard captures NFC card data by prompting users to tap their cards to the device (“prompts users to tap their bank card against their device… it then captures NFC data from the card and transmits it to the attacker”).
- [T1436 ] Input Capture (Ask for PIN) – The app requests the user’s PIN to enable attackers to complete POS/ATM transactions (“the app also requests the user’s PIN code to ensure the cybercriminal can complete point-of-sale (POS) or ATM transactions”).
- [T1391 ] Masquerading as Legitimate Application – Distribution via fake Google Play pages and counterfeit reviews to lure victims (“masquerades as a ‘Proteção Cartões’ app hosted on fake Google Play Store pages, complete with counterfeit positive reviews”).
- [T1584 ] Compromise Infrastructure: Command and Control – Malware transmits captured data to attackers and uses on-device C2 communications that should be intercepted (“captures NFC data from the card and transmits it to the attacker”; “intercept suspicious command-and-control communication on-device”).
- [T1606 ] Use of Malware-as-a-Service (MaaS) – Chinese-origin MaaS enables affiliates to deploy customized variants and regionalize fraud (“powered by a Chinese-originated Malware-as-a-Service (MaaS), allowing multiple affiliates to deploy customized variations rapidly”).
Indicators of Compromise
- [File Name ] Fake app name used for distribution – “Proteção Cartões” (masqueraded app name on counterfeit Play Store pages).
- [Repository/Report ] Threat intelligence sources – ThreatFabric report and repository listing new IOCs (report link referenced; “The list of new IOCs can be found in this repository”).
- [Samples ] Malware samples – Zimperium shared samples used for detection and uncovered 8 additional related samples (sample bundle referenced; “uncovered an additional 8 samples connected to the PhantomCard campaign”).