PhantomCard, an NFC-driven Android Trojan in Brazil, relays card data to fraudsters, spread via fake Google Play “card protection” apps. ThreatFabric warns of PhantomCard, a new Android NFC-driven trojan targeting Brazilian banking customers and possibly expanding globally. The malicious code is based on Chinese NFC relay Malware-as-a-Service, it relays victims’ card data to fraudsters for cash-out. The […]

INETCO provides real-time transaction performance monitoring, payment fraud detection and on-demand analytics solutions for omni-channel banking, ATM self-service networks and payment processing environments.

PhantomCard Android malware uses NFC to steal banking card data via fake security apps, enabling real-time theft through infected devices.

El nuevo Android Trojan PhantomCard, dirigido por NFC, se dirige a los clientes del banco brasileño Pierluigi Paganini 15 de agosto de 2025 PhantomCard, un troyano Android impulsado por NFC en Brasil, transmite datos de tarjetas a estafadores, se extiende a través de aplicaciones falsas de "protección de cartas" de Google Play. Amenazfabric advierte de PhantomCard, un nuevo troyano impulsado por Android NFC dirigido a clientes bancarios brasileños y posiblemente expandiéndose a nivel mundial.

PhantomCard, a new Android trojan, is swiping banking data in Brazil without breaking a sweat. This NFC relay malware tricks users into thinking they're protecting their cards while relaying sensitive info to fraudsters. With fake Google Play pages and glowing reviews, it’s like catfishing for your wallet!

According to the information provided, Brazilian cybercriminals are utilizing a malware named NFC PhantomCard to steal banking card data by exploiting Near Field Communication (NFC) technology. This malware targets bank users, intercepting sensitive card information through NFC, leading to unauthorized remote transactions and financial data theft. For complete and accurate details, it is essential to visit the provided URL (https://www.freebuf.com/articles/endpoint/444502.html). Technically, NFC is a short-range wireless communication technology commonly used in contactless payments. The security of NFC is based on its limited communication range and encryption. However, the PhantomCard malware's ability to intercept NFC communications suggests potential vulnerabilities in NFC's implementation or exploitation of its protocols. The exact mechanism of this exploitation is not clear from the provided information and would require further technical details from the source article. The impact on the cybersecurity landscape could be significant. NFC is a cornerstone of modern contactless payment systems, and any vulnerability could undermine trust in these systems. Financial institutions and payment processors may need to reassess and bolster their NFC security measures to prevent such exploits. From an expert standpoint, this incident highlights the importance of ongoing security assessments and updates. Even well-established technologies like NFC can have vulnerabilities that malicious actors may exploit. Regular security audits, prompt software updates, and strong encryption practices are crucial for mitigating such risks. For actionable intelligence, users should be vigilant when using NFC-enabled payments and ensure their devices are updated with the latest security patches. Financial institutions should investigate this malware to identify and address any vulnerabilities in their NFC systems. Additionally, user education on the risks and safe practices for contactless payments is advisable.

PhantomCard is a sophisticated Android malware leveraging NFC relaying techniques.

INETCO provides real-time transaction performance monitoring, payment fraud detection and on-demand analytics solutions for omni-channel banking, ATM self-service networks and payment processing environments.

A New Era of Mobile Banking Fraud Emerges Brazil’s banking sector is facing a dangerous new cyber threat: PhantomCard, an Android-based NFC-driven Trojan capable of relaying victims’ card data in real time to criminals for fraudulent transactions. Developed from Chinese NFC relay Malware-as-a-Service (MaaS) technology, this malware is being customized and resold by a well-known Brazilian cybercriminal, operating under the alias “Go1ano Developer.”

Cybersecurity researchers have disclosed a new Android trojan called PhantomCard that abuses near-field communication (NFC) to conduct relay attacks for facilitating fraudulent transactions in attacks targeting banking customers in Brazil. "PhantomCard relays NFC data from a victim's banking card to the fraudster's device," ThreatFabric said in a report. "PhantomCard is based on

ThreatFabric has uncovered PhantomCard, an NFC-relay trojan capable of cloning contactless cards, primarily targeting the banking sector in Brazil. Concurrently, K7 Labs has identified SpyBanker, a dropper that diverts bank calls, affecting users in India. These threats highlight critical vulnerabilities in contactless payment systems and call diversion policies. PhantomCard exploits NFC technology to clone cards without physical access, posing a significant risk to financial transactions. SpyBanker, as a dropper, installs malicious payloads to intercept or reroute bank calls, potentially leading to fraudulent activities. The emergence of these threats underscores the urgent need for enhanced security measures in contactless payments and call handling protocols. Banks and financial institutions must prioritize advanced threat detection systems, robust encryption methods for NFC transactions, and continuous monitoring of call diversion activities. Additionally, customer education on the risks associated with contactless payments and phone-based banking is crucial. These developments emphasize the evolving tactics of cybercriminals and the necessity for proactive cybersecurity strategies to mitigate such sophisticated attacks.

El nuevo Android Trojan PhantomCard, dirigido por NFC, se dirige a los clientes del banco brasileño Pierluigi Paganini 15 de agosto de 2025 PhantomCard, un troyano Android impulsado por NFC en Brasil, transmite datos de tarjetas a estafadores, se extiende a través de aplicaciones falsas de "protección de cartas" de Google Play. Amenazfabric advierte de PhantomCard, un nuevo troyano impulsado por Android NFC dirigido a clientes bancarios brasileños y posiblemente expandiéndose a nivel mundial.

Eliminate PhantomCard Banking Trojan from Android devices with our step-by-step removal guide. Stay secure!

Introduction to Malware Binary Triage (IMBT) Course Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor. Enroll Now and Save 10%: Coupon Code MWNEWS10 Note: Affiliate link – your enrollment helps support this platform at no extra cost to you. Our Mobile Threat Intelligence service is monitoring NFC-relay threats and tactics since the discovery of NFSkate (aka NGate) in March 2024. Ghost Tap became another milestone on the evolution of NFC-based at...

A sophisticated new Android malware dubbed PhantomCard has emerged from the shadows of Brazil’s cybercriminal underground, representing a significant evolution in mobile banking threats. This malicious application leverages Near Field Communication (NFC) technology to create a seamless bridge between victims’ physical banking cards and fraudsters’ devices, enabling real-time financial theft without the need for physical card possession. The malware masquerades as a legitimate “Proteção Cartões” (Card Protection) application, distributed through convincing fake Google Play Store pages that promise enhanced security for users’ banking cards. PhantomCard operates through an ingenious relay mechanism that transforms infected smartphones into remote card skimmers . When victims are prompted to tap their banking cards against their phone to initiate what they believe is a security verification process, the malware silently captures and transmits the NFC data to cybercriminals’ devices via encrypted channels. Fake page distribution (Source – Threat Fabric) This allows fraudsters to conduct transactions at Point-of-Sale terminals or ATMs as if they physically possessed the victim’s card, complete with PIN authentication that the malware separately harvests through a convincing interface. Threat Fabric analysts identified that PhantomCard is not an original creation but rather a customized version of the Chinese-originated “NFU Pay” Malware-as-a-Service platform. The discovery reveals a concerning trend where international cybercriminal tools are being localized and redistributed by regional threat actors, specifically targeting Brazilian banking customers while maintaining global expansion capabilities. The malware’s Command-and-Control server includes endpoints specifically coded for Brazilian operations, with “/baxi/b” referencing “Brazil” in Chinese (巴西, Bāxī). The technical implementation of PhantomCard demonstrates sophisticated understanding of EMV payment protocols. The malware specifically targets ISO-DEP (ISO 14443-4) standard contactless cards, utilizing the “scuba_smartcards” library for data parsing. On the left – ‘victim’ tapping the card against the device infected with PhantomCard (Source – Threat Fabric) Upon detecting an NFC tag, PhantomCard establishes an ISO-DEP connection and sends a crucial APDU command: 00A404000E325041592E5359532E444446303100 , which selects the Payment System Environment directory. This command specifically targets EMV cards by accessing the “2PAY.SYS.DDF01” directory used in modern payment systems. Advanced NFC Relay Architecture PhantomCard’s relay mechanism operates through a sophisticated two-phase process that seamlessly bridges physical cards with remote terminals. The malware first establishes connection parameters with extensive logging capabilities, as evidenced in the code snippet showing Chinese debug messages: “正在建立ISO-DEP连接…” (Establishing ISO-DEP connection). The application sets communication timeouts to 120,000 milliseconds, ensuring stable data transmission even in challenging network conditions. When cybercriminals initiate fraudulent transactions, PhantomCard receives WebSocket messages containing transaction instructions. The malware parses these commands and identifies transaction data through pattern matching, specifically detecting “80A” instruction codes that indicate payment authorization requests. Critical transaction elements including amount and currency codes are extracted from specific byte positions within the APDU commands, enabling precise transaction replication at remote locations. This sophisticated relay system represents a dangerous evolution in mobile banking threats, combining social engineering with advanced NFC manipulation to create virtually undetectable fraud scenarios that traditional banking security systems struggle to identify. Boost your SOC and help your team protect your business with free top-notch threat intelligence:  Request TI Lookup Premium Trial . The post New NFC-Driven PhantomCard Android Malware Attacking Banking Users appeared first on Cyber Security News .