Ethical Hacking News
A new wave of Android malware has emerged that uses Near Field Communication (NFC) relay fraud, call hijacking, and root exploits to compromise banking customers. The malicious apps have been distributed via fake Google Play web pages and mimic legitimate card protection apps. Users are advised to be cautious when installing apps from unofficial sources and regularly update their operating systems and security patches to prevent exploitation by attackers.
Android users are facing a new threat to their financial security due to emerging NFC relay fraud, call hijacking, and root exploits in malware apps.The malicious apps mimic legitimate card protection apps and feature deceptive positive reviews to persuade victims into installing them.The PhantomCard malware uses NFC technology to conduct relay attacks for facilitating fraudulent transactions in banking customers in Brazil.The Android malware is distributed via fake Google Play web pages mimicking apps for card protection, with a package name "com.nfupay.s145" or "com.rc888.baxi.English".The app requests victims to place their credit/debit card on the back of the phone and asks for PIN code to relay card data to an attacker-controlled NFC relay server.The malware is designed by a Chinese malware-as-a-service offering known as NFU Pay that's advertised on Telegram, making it difficult to detect and stop in real-time.Indian banking users have also been targeted by Android malware designed to siphon financial information while dropping XMRig cryptocurrency miner on compromised devices.A security flaw in KernelSU (version 0.5.7) can allow attackers to authenticate as the KernelSU manager and compromise a rooted Android device.
Android users are facing a new threat to their financial security as a new wave of malware has emerged that uses Near Field Communication (NFC) relay fraud, call hijacking, and root exploits to compromise banking customers. The malicious apps, which have been distributed via fake Google Play web pages, mimic legitimate card protection apps and feature deceptive positive reviews to persuade victims into installing them.
The malware, dubbed PhantomCard by cybersecurity researchers at ThreatFabric, abuses NFC technology to conduct relay attacks for facilitating fraudulent transactions in attacks targeting banking customers in Brazil. According to ThreatFabric, PhantomCard relays NFC data from a victim's banking card to the fraudster's device, allowing the attacker to use the victim's card as if it was in their hands.
The Android malware, distributed via fake Google Play web pages mimicking apps for card protection, goes by the name "Proteção Cartões" (package name "com.nfupay.s145" or "com.rc888.baxi.English"). The bogus pages also feature deceptive positive reviews to persuade victims into installing the app.
Once the app is installed and opened, it requests victims to place their credit/debit card on the back of the phone to begin the verification process, at which point the user interface displays the message: "Card Detected! Keep the card nearby until authentication is complete." In reality, the card data is relayed to an attacker-controlled NFC relay server by taking advantage of the built-in NFC reader built into modern devices.
The PhantomCard-laced app then requests the victim to enter the PIN code with the goal of transmitting the information to the cybercriminal so as to authenticate the transaction. This allows the cybercriminal to use the victim's card as if it was in their hands, establishing a channel between the victim's physical card and the point-of-sale (PoS) terminal or ATM that the cybercriminal is next to.
ThreatFabric said the actor behind the malware, Go1ano developer, is a "serial" reseller of Android threats in Brazil. The PhantomCard is actually the handiwork of a Chinese malware-as-a-service offering known as NFU Pay that's advertised on Telegram.
NFU Pay offers similar NFC relay capabilities to other illicit services such as SuperCard X, KingNFC, and X/Z/TX-NFC. These malicious apps are widely available in underground forums and private messaging groups, making them difficult to detect and stop in real-time.
The Dutch security company said the resulting fraud is harder to trace and stop because the transactions appear to originate from trusted, authenticated devices. In markets where contactless payment usage is rising and low-value transactions often bypass PIN verification, such attacks are even harder to trace and stop in real-time.
This is not an isolated incident as Indian banking users have also been targeted by Android malware that's designed to siphon financial information while simultaneously dropping the XMRig cryptocurrency miner on compromised devices. The malicious credit card apps distributed via convincing phishing pages that use real assets taken from official banking websites.
The list of malicious apps includes Axis Bank Credit Card (com.NWilfxj.FxKDr), ICICI Bank Credit Card (com.NWilfxj.FxKDr), IndusInd Credit Card (com.NWilfxj.FxKDr), and State Bank of India Credit Card (com.NWilfxj.FxKDr). The malware is designed to display a bogus user interface that prompts victims to enter their personal information, including names, card numbers, CVV codes, expiry dates, and mobile numbers.
A notable aspect of the app is its ability to listen to specific messages sent via Firebase Cloud Messaging (FCM) to trigger the mining process. The app delivered through these phishing sites functions as a dropper, meaning it initially appears harmless but later dynamically loads and executes the actual malicious payload.
"This technique helps evade static detection and complicates analysis," said McAfee researcher Dexter Shin. "These phishing pages load images, JavaScript, and other web resources directly from the official websites to appear legitimate. However, they include additional elements such as 'Get App' or 'Download' buttons, which prompt users to install the malicious APK file."
The Android malware campaign dubbed SpyBanker aimed at Indian banking users that's likely distributed to users via WhatsApp under the guise of a customer help service app. Interestingly, this Android SpyBanker malware edits the "Call Forward Number" to a hard-coded mobile number controlled by the attacker, registered a service called 'CallForwardingService' and redirects the user's calls.
Furthermore, the malware comes fitted with capabilities to collect victims' SIM details, sensitive banking information, SMS messages, and notification data. Indian banking users have also been targeted by Android malware that's designed to siphon financial information while simultaneously dropping the XMRig cryptocurrency miner on compromised devices.
Cybersecurity researchers at Zimperium zLabs have discovered a security flaw in KernelSU (version 0.5.7) that could allow attackers to authenticate as the KernelSU manager and completely compromise a rooted Android device via a malicious application already installed on it that also bundles the official KernelSU manager APK.
However, an important caveat to pull off this attack is that it's only effective if the threat actor application is executed before the legitimate KernelSU manager application. "Because system calls can be triggered by any app on the device, strong authentication and access controls are essential," security researcher Marcel Bathke said.
Unfortunately, this layer is often poorly implemented or entirely neglected, which opens the door to serious security risks. Improper authentication can allow malicious apps to gain root access and fully compromise the device.
The discovery of these new Android malware threats highlights the importance of staying vigilant and taking proactive measures to protect against emerging threats. Users should be cautious when installing apps from unofficial sources and regularly update their operating systems and security patches to prevent exploitation by attackers.
The use of Near Field Communication (NFC) relay fraud, call hijacking, and root exploits in Android malware campaigns is becoming increasingly common, making it essential for users to stay informed about the latest threats and take necessary precautions to protect their devices and data.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Android-Malware-Wave-Hits-Banking-via-NFC-Relay-Fraud-Call-Hijacking-and-Root-Exploits-ehn.shtml
https://thehackernews.com/2025/08/new-android-malware-wave-hits-banking.html
Published: Thu Aug 14 07:57:11 2025 by llama3.2 3B Q4_K_M
