New NFC-Based PhantomCard Malware Targets Android Banking Users – Against Invaders – Notícias de CyberSecurity para humanos.

ThreatFabric analysts have uncovered PhantomCard, a sophisticated NFC-based Trojan designed to relay sensitive card data from victims’ devices to cybercriminals.

This malware, which primarily targets banking customers in Brazil but shows potential for global expansion, exemplifies the growing interest among threat actors in NFC relay attacks.

PhantomCard operates by masquerading as a legitimate “card protection” app, distributed through deceptive web pages mimicking the Google Play Store.

Once installed, it requires no additional permissions, immediately prompting users to tap their physical banking cards against the infected device for supposed verification.

This action initiates the relay of NFC data via a criminal-controlled server, enabling fraudsters to perform unauthorized transactions at point-of-sale (POS) terminals or ATMs as if they held the victim’s card.

PhantomCard’s core functionality hinges on exploiting the NFC reader in modern Android devices, focusing on the ISO-DEP (ISO 14443-4) protocol standard used in EMV contactless cards.

Upon detecting a card, the malware sends specific Application Protocol Data Units (APDUs), such as the SELECT command for the “2PAY.SYS.DDF01” Payment System Environment directory, to confirm it’s an EMV-compatible card and extract metadata about available payment applications.

If successful, the data is forwarded to a command-and-control (C2) server, alerting attackers that the card is ready for exploitation.

The malware then facilitates a bidirectional relay: transaction instructions from the fraudster’s side are parsed and forwarded to the victim’s card, while responses are sent back, effectively bridging the physical card to a remote POS or ATM.

To complete high-value transactions, PhantomCard tricks victims into entering their PIN, which is relayed for authentication.

This setup, demonstrated in actor-shared videos, allows seamless fraud where the victim unwittingly enables payments from afar.

Roots in Malware-as-a-Service

Tracing its origins, PhantomCard is not an original creation but a customized variant of the Chinese-origin “NFU Pay” Malware-as-a-Service (MaaS) platform, akin to other underground tools like SuperCardX and KingNFC.

Analysis reveals Chinese debug messages and package references to NFU Pay, indicating that the Brazil-based threat actor, known as “Go1ano developer,” acquired and rebranded it for local distribution.

This actor, a “serial reseller” of Android threats, promotes PhantomCard as “GHOST NFC CARD” on Telegram, targeting Brazilian mobile banking users while claiming global adaptability.

Indicators such as the C2 endpoint “/baxi/b” (Chinese for “Brazil”) suggest region-specific tailoring, raising alarms about potential variants for other markets.

The reseller model underscores a shift in the cyber threat landscape, where non-technical actors act as local distributors, bridging global MaaS offerings to regional underground markets.

“Go1ano developer” also resells families like BTMOB and GhostSpy, and recently transferred rights to “Pegasus Team,” linked to other Brazilian Trojans like Rocinante.

This outsourcing expands the reach of sophisticated threats, bypassing language and cultural barriers, and complicates defenses for financial institutions.

Mitigation Strategies

PhantomCard highlights the surging demand for NFC relay tools, building on precursors like NFCGate and NFSkate, but with a streamlined, EMV-focused implementation using libraries like “scuba_smartcards” for data parsing.

For banks, such malware poses detection challenges, as transactions appear legitimate originating from the victim’s physical card with PIN confirmation leaving only anomalies like mismatched merchant locations as red flags.

ThreatFabric recommends vigilant monitoring of similar families, user education against apps requesting card taps for “protection,” and enhanced transaction analytics to spot relay fraud.

As MaaS evolves into resold services, global financial organizations must track these actors to safeguard against escalating mobile threats.

Indicators of Compromise

App Name	Package Name	SHA256 Hash
Proteção Cartões	com.nfupay.s145	a78ab0c38fc97406727e48f0eb5a803b1edb9da4a39e613f013b3c5b4736262f
Proteção Cartões	com.rc888.baxi.English	cb10953f39723427d697d06550fae2a330d7fff8fc42e034821e4a4c55f5a667

AWS Security Services:10-Point Executive Checklist -Download for Free

azaeo.com – datalake

File fishes formats available in:

Texto JSON JSON-LD XML HTML HTML Source PDF Markdown

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology: “LLMs” is the correct English acronym for Large Language Models.