New NFC-Enabled PhantomCard Android Malware Targeting Banking Users

A sophisticated new Android malware known as PhantomCard has emerged from Brazil’s cybercriminal underground, marking a significant evolution in mobile banking threats. This malicious application exploits Near Field Communication (NFC) technology to create a seamless connection between victims’ physical banking cards and fraudsters’ devices, enabling real-time financial theft without requiring physical card possession. The malware disguises itself as a legitimate “Proteção Cartões” (Card Protection) application, distributed through convincing fake Google Play Store pages that promise enhanced security for users’ banking cards. PhantomCard operates through an ingenious relay mechanism that transforms infected smartphones into remote card skimmers. When victims are prompted to tap their banking cards against their phones for what they believe is a security verification process, the malware silently captures and transmits the NFC data to cybercriminals’ devices via encrypted channels. This allows fraudsters to conduct transactions at Point-of-Sale terminals or ATMs as if they physically possessed the victim’s card, complete with PIN authentication that the malware separately harvests through a convincing interface.

Threat Fabric analysts have identified that PhantomCard is not an original creation but rather a customised version of the Chinese-originated “NFU Pay” Malware-as-a-Service platform. This discovery reveals a concerning trend where international cybercriminal tools are being localised and redistributed by regional threat actors, specifically targeting Brazilian banking customers while maintaining global expansion capabilities. The malware’s Command-and-Control server includes endpoints specifically coded for Brazilian operations, with “/baxi/b” referencing “Brazil” in Chinese (巴西, Bāxī). The technical implementation of PhantomCard demonstrates a sophisticated understanding of EMV payment protocols. The malware specifically targets ISO-DEP (ISO 14443-4) standard contactless cards, utilising the “scuba_smartcards” library for data parsing. Upon detecting an NFC tag, PhantomCard establishes an ISO-DEP connection and sends a crucial APDU command: 00A404000E325041592E5359532E444446303100, which selects the Payment System Environment directory. This command specifically targets EMV cards by accessing the “2PAY.SYS.DDF01” directory used in modern payment systems. PhantomCard’s relay mechanism operates through a sophisticated two-phase process that seamlessly bridges physical cards with remote terminals. The malware first establishes connection parameters with extensive logging capabilities, as evidenced in the code snippet showing Chinese debug. 

Categories: Mobile Banking Threats, Malware Distribution Techniques, NFC Technology Exploitation 

Tags: PhantomCard, Android Malware, NFC Technology, Mobile Banking, Financial Theft, Cybercriminals, EMV Payment Protocols, Relay Mechanism, ISO-DEP, Malware-as-a-Service