PhantomCard Mobile Malware

Cybersecurity researchers have uncovered a dangerous new Android Trojan named PhantomCard. This sophisticated malware exploits near-field communication (NFC) technology to carry out relay attacks, enabling criminals to make fraudulent transactions by virtually "cloning" victims' banking cards.

How PhantomCard Operates

PhantomCard works by relaying NFC data from a victim's card to a criminal's device, allowing the attacker to use the card as though it were physically in their possession. The malware's design is based on Chinese-developed NFC relay malware-as-a-service, specifically the NFU Pay platform.

The malicious app, disguised as Proteção Cartões, is distributed through fake Google Play web pages that imitate legitimate card protection services. These pages are enhanced with fake positive reviews to boost credibility. While the exact distribution method remains unknown, smishing or similar social engineering tactics are likely used.

Once installed, the app prompts the victim to place their credit or debit card on the back of their phone for 'verification.' When the interface displays' Card Detected!,' the malware begins transmitting NFC data to a remote attacker-controlled server. The app then asks the user to enter their PIN, which is immediately sent to the criminal to authorize real-world transactions at a PoS terminal or ATM.

The Mule’s Role in the Scheme

On the criminal's side, a mule device runs a corresponding application designed to receive the stolen card data. This setup ensures smooth communication between the PoS terminal and the victim's card, effectively making it possible for attackers to use the stolen credentials in real time.

The malware developer, known online as Go1ano, is notorious in Brazil for reselling Android threats. Researchers note that PhantomCard is essentially a repackaged version of the Chinese NFU Pay service, which is openly promoted on Telegram. The developer claims the tool is globally functional, completely undetectable, and compatible with all NFC-enabled PoS systems. They also advertise close ties with other malware families, including BTMOB and GhostSpy.

Part of a Growing Underground NFC Fraud Ecosystem

NFU Pay is just one of several illegal NFC relay tools on the market, alongside names like SuperCard X, KingNFC, and X/Z/TX-NFC. The spread of these tools brings new risks to regional banks and financial institutions by enabling global threat actors to bypass language, cultural, and technical barriers that previously limited attacks. This expansion significantly complicates fraud detection and prevention.

Southeast Asia: A Hotbed for NFC Exploitation

Researchers warn that Southeast Asia has emerged as a testing ground for NFC-based fraud. In countries like the Philippines, the rise in contactless payments and the prevalence of low-value transactions that often bypass PIN checks make such attacks particularly effective.

Common underground tools enabling NFC fraud include:

• Z-NFC and X-NFC – Known for cloning and using stolen card data in real-time transactions.
• SuperCard X and Track2NFC – Widely available in dark web forums and private chat groups, these allow attackers to perform unauthorized contactless payments.

The transactions from these attacks often appear legitimate, originating from authenticated devices, which makes detection and prevention challenging, especially in real-time financial systems.