Ethical Hacking News
A new type of Android Trojan, known as PhantomCard, has been discovered in Brazil, posing a significant threat to Brazilian bank customers. This malware relays card data from its victims' cards to criminals' devices for fraudulent payments or ATM use, making it challenging to detect and prevent such scams.
The PhantomCard Trojan is an Android NFC-driven malware posing a significant threat to Brazilian bank customers. The malware relays card data from victims' cards to criminals' devices for fraudulent payments or ATM use. PhantomCard is tailored for Brazil, with C2 endpoint "baxi/b" (Brazil in Chinese), and NFU Pay's developers support region-specific versions. The malware uses the "scuba_smartcards" library to parse data and sends specific APDU commands to select the EMV PSE directory. PhantomCard poses a high fraud risk for banks, requiring better monitoring and user awareness to detect and prevent scams.
PhantomCard is a new type of Android NFC-driven Trojan that has been discovered by researchers, posing a significant threat to Brazilian bank customers. According to recent reports, this malicious code was created by the Chinese-developed malware, NFU Pay, and resold by the "Go1ano Developer" in Brazil.
The PhantomCard Trojan is designed to relay card data from its victims' cards to criminals' devices for fraudulent payments or ATM use. Once installed on a victim's device, it prompts them to tap their card, captures NFC data, and requests the PIN to complete transactions via an NFC relay server under criminal control. This creates a live channel between a victim's card and a POS/ATM near the criminal, enabling real-time fraudulent payments.
The researchers found that PhantomCard is tailored for Brazil, as demonstrated its C2 endpoint "baxi/b" (Brazil in Chinese). NFU Pay's developers support region-specific versions, suggesting future variants targeting other regions globally. The malware contains Chinese debug messages and references to “NFU Pay” MaaS, indicating “Go1ano Developer” bought and customized it to target mobile banking users.
PhantomCard's code uses the "scuba_smartcards" library to parse data and sends the APDU 00A404000E325041592E5359532E444446303100 to select the EMV PSE directory. It then uploads metadata to its server, where it can be accessed by the criminal-side app installed on the victim's device. This allows the malware to relay transactions between the POS terminal and the victim's card in real-time.
The Android malware highlights the growing popularity of NFC-based attacks and the demand for services enabling them. Offered as Malware-as-a-Service, it lets low-tech fraudsters perform NFC relay fraud without deep technical skills. The Chinese-developed malware was customized for local actors, reflecting a re-selling model seen with other threats like BTMOB.
For banks, PhantomCard poses a high fraud risk, as transactions appear legitimate and require better monitoring and user awareness to detect and prevent such scams. As stated in the report by ThreatFabric, "The presence of PhantomCard-like malware on user's device should be a strong risk indicator for financial organizations as it leads to fraud that is hard to spot with traditional transaction monitoring systems."
This threat highlights the ongoing cat-and-mouse game between cybercriminals and law enforcement agencies. As new technologies emerge, so do new threats. The case of PhantomCard serves as a reminder for individuals and institutions to stay vigilant and take proactive measures to protect themselves from such malicious attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Android-Trojan-PhantomCard-A-Growing-Threat-to-Brazilian-Bank-Customers-ehn.shtml
https://securityaffairs.com/181186/malware/new-nfc-driven-android-trojan-phantomcard-targets-brazilian-bank-customers.html
https://www.threatfabric.com/blogs/phantomcard-new-nfc-driven-android-malware-emerging-in-brazil
https://thehackernews.com/2025/08/new-android-malware-wave-hits-banking.html
Published: Fri Aug 15 13:50:30 2025 by llama3.2 3B Q4_K_M
