Código HTML do Conteúdo

Post: New NFC-Based PhantomCard Malware Targets Android Banking Users - Against Invaders - Notícias de CyberSecurity para humanos.

<div> <div> <p>ThreatFabric analysts have uncovered PhantomCard, a sophisticated NFC-based Trojan designed to relay sensitive card data from victims&rsquo; devices to cybercriminals.</p> <p>This malware, which primarily targets banking customers in Brazil but shows potential for global expansion, exemplifies the growing interest among threat actors in NFC relay attacks. </p> <p>PhantomCard operates by masquerading as a legitimate &ldquo;card protection&rdquo; app, distributed through deceptive web pages mimicking the <a href="https://gbhackers.com/malware-spotted-on-the-google-play/" rel="noreferrer noopener" target="_blank">Google Play Store</a>. </p> <p>Once installed, it requires no additional permissions, immediately prompting users to tap their physical banking cards against the infected device for supposed verification. </p> <p>This action initiates the relay of NFC data via a criminal-controlled server, enabling fraudsters to perform unauthorized transactions at point-of-sale (POS) terminals or ATMs as if they held the victim&rsquo;s card.</p> <p>PhantomCard&rsquo;s core functionality hinges on exploiting the NFC reader in modern Android devices, focusing on the ISO-DEP (ISO 14443-4) protocol standard used in EMV contactless cards. </p> <p>Upon detecting a card, the malware sends specific Application Protocol Data Units (APDUs), such as the SELECT command for the &ldquo;2PAY.SYS.DDF01&rdquo; Payment System Environment directory, to confirm it&rsquo;s an EMV-compatible card and extract metadata about available payment applications. </p> <p>If successful, the data is forwarded to a <a href="https://gbhackers.com/ghost-calls-attack-exploits-web-conferencing/" rel="noreferrer noopener" target="_blank">command-and-control</a> (C2) server, alerting attackers that the card is ready for exploitation. </p> <p>The malware then facilitates a bidirectional relay: transaction instructions from the fraudster&rsquo;s side are parsed and forwarded to the victim&rsquo;s card, while responses are sent back, effectively bridging the physical card to a remote POS or ATM. </p> <p>To complete high-value transactions, PhantomCard tricks victims into entering their PIN, which is relayed for authentication. </p> <p>This setup, demonstrated in actor-shared videos, allows seamless fraud where the victim unwittingly enables payments from afar.</p> <h2 id="h-roots-in-malware-as-a-service"><strong>Roots in Malware-as-a-Service</strong></h2> <p>Tracing its origins, PhantomCard is not an original creation but a customized variant of the Chinese-origin &ldquo;NFU Pay&rdquo; Malware-as-a-Service (MaaS) platform, akin to other underground tools like SuperCardX and KingNFC. </p> <p>Analysis reveals Chinese debug messages and package references to NFU Pay, indicating that the Brazil-based threat actor, known as &ldquo;Go1ano developer,&rdquo; acquired and rebranded it for local distribution.</p> <p>This actor, a &ldquo;serial reseller&rdquo; of Android threats, promotes PhantomCard as &ldquo;GHOST NFC CARD&rdquo; on Telegram, targeting Brazilian mobile banking users while claiming global adaptability. </p> <p>Indicators such as the C2 endpoint &ldquo;/baxi/b&rdquo; (Chinese for &ldquo;Brazil&rdquo;) suggest region-specific tailoring, raising alarms about potential variants for other markets.</p> <p>The reseller model underscores a shift in the cyber threat landscape, where non-technical actors act as local distributors, bridging global MaaS offerings to regional underground markets. </p> <p>&ldquo;Go1ano developer&rdquo; also resells families like BTMOB and GhostSpy, and recently transferred rights to &ldquo;Pegasus Team,&rdquo; linked to other Brazilian Trojans like Rocinante. </p> <p>This outsourcing expands the reach of sophisticated threats, bypassing language and cultural barriers, and complicates defenses for financial institutions.</p> <h2 id="h-mitigation-strategies"><strong>Mitigation Strategies</strong></h2> <p>PhantomCard highlights the surging demand for NFC relay tools, building on precursors like NFCGate and NFSkate, but with a streamlined, EMV-focused implementation using libraries like &ldquo;scuba_smartcards&rdquo; for data parsing. </p> <p>For banks, such malware poses detection challenges, as transactions appear legitimate originating from the victim&rsquo;s physical card with PIN confirmation leaving only anomalies like mismatched merchant locations as red flags. </p> <p>ThreatFabric <a href="https://www.threatfabric.com/blogs/phantomcard-new-nfc-driven-android-malware-emerging-in-brazil#indicators_of_compromise" rel="noreferrer noopener nofollow" target="_blank">recommends</a> vigilant monitoring of similar families, user education against apps requesting card taps for &ldquo;protection,&rdquo; and enhanced transaction analytics to spot relay fraud.</p> <p>As MaaS evolves into resold services, global financial organizations must track these actors to safeguard against escalating mobile threats.</p> <h2 id="h-indicators-of-compromise"><strong>Indicators of Compromise</strong></h2> <figure> <table> <thead> <tr> <th>App Name</th> <th>Package Name</th> <th>SHA256 Hash</th> </tr> </thead> <tbody> <tr> <td>Prote&ccedil;&atilde;o Cart&otilde;es</td> <td>com.nfupay.s145</td> <td>a78ab0c38fc97406727e48f0eb5a803b1edb9da4a39e613f013b3c5b4736262f</td> </tr> <tr> <td>Prote&ccedil;&atilde;o Cart&otilde;es</td> <td>com.rc888.baxi.English</td> <td>cb10953f39723427d697d06550fae2a330d7fff8fc42e034821e4a4c55f5a667</td> </tr> </tbody> </table> </figure> <p><strong><code>AWS Security Services:10-Point Executive Checklist -<a href="https://underdefense.com/aws-security-services-10-point-executive-checklist/?utm_source=cybersecuritynews.com&amp;utm_medium=online_media&amp;utm_campaign=csn_linkedin_newsletter_aws_sec_check_aug" rel="noreferrer noopener nofollow" target="_blank">Download for Free</a></code></strong></p> </div></div>