A sophisticated new Android malware dubbed PhantomCard has emerged from the shadows of Brazil’s cybercriminal underground, representing a significant evolution in mobile banking threats.
This malicious application leverages Near Field Communication (NFC) technology to create a seamless bridge between victims’ physical banking cards and fraudsters’ devices, enabling real-time financial theft without the need for physical card possession.
The malware masquerades as a legitimate “Proteção Cartões” (Card Protection) application, distributed through convincing fake Google Play Store pages that promise enhanced security for users’ banking cards.
PhantomCard operates through an ingenious relay mechanism that transforms infected smartphones into remote card skimmers.
When victims are prompted to tap their banking cards against their phone to initiate what they believe is a security verification process, the malware silently captures and transmits the NFC data to cybercriminals’ devices via encrypted channels.
Fake page distribution (Source – Threat Fabric)
This allows fraudsters to conduct transactions at Point-of-Sale terminals or ATMs as if they physically possessed the victim’s card, complete with PIN authentication that the malware separately harvests through a convincing interface.
Threat Fabric analysts identified that PhantomCard is not an original creation but rather a customized version of the Chinese-originated “NFU Pay” Malware-as-a-Service platform.
The discovery reveals a concerning trend where international cybercriminal tools are being localized and redistributed by regional threat actors, specifically targeting Brazilian banking customers while maintaining global expansion capabilities.
The malware’s Command-and-Control server includes endpoints specifically coded for Brazilian operations, with “/baxi/b” referencing “Brazil” in Chinese (巴西, Bāxī).
The technical implementation of PhantomCard demonstrates sophisticated understanding of EMV payment protocols. The malware specifically targets ISO-DEP (ISO 14443-4) standard contactless cards, utilizing the “scuba_smartcards” library for data parsing.
On the left – ‘victim’ tapping the card against the device infected with PhantomCard (Source – Threat Fabric)
Upon detecting an NFC tag, PhantomCard establishes an ISO-DEP connection and sends a crucial APDU command: 00A404000E325041592E5359532E444446303100, which selects the Payment System Environment directory.
This command specifically targets EMV cards by accessing the “2PAY.SYS.DDF01” directory used in modern payment systems.
Advanced NFC Relay Architecture
PhantomCard’s relay mechanism operates through a sophisticated two-phase process that seamlessly bridges physical cards with remote terminals.
The malware first establishes connection parameters with extensive logging capabilities, as evidenced in the code snippet showing Chinese debug messages: “正在建立ISO-DEP连接…” (Establishing ISO-DEP connection).
The application sets communication timeouts to 120,000 milliseconds, ensuring stable data transmission even in challenging network conditions.
When cybercriminals initiate fraudulent transactions, PhantomCard receives WebSocket messages containing transaction instructions.
The malware parses these commands and identifies transaction data through pattern matching, specifically detecting “80A” instruction codes that indicate payment authorization requests.
Critical transaction elements including amount and currency codes are extracted from specific byte positions within the APDU commands, enabling precise transaction replication at remote locations.
This sophisticated relay system represents a dangerous evolution in mobile banking threats, combining social engineering with advanced NFC manipulation to create virtually undetectable fraud scenarios that traditional banking security systems struggle to identify.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source: cybersecuritynews.com
