Cybersecurity researchers have disclosed a new Android trojan called PhantomCard that abuses near-field communication (NFC) to conduct relay attacks for facilitating fraudulent transactions in attacks targeting banking customers in Brazil.
“PhantomCard relays NFC data from a victim’s banking card to the fraudster’s device,” ThreatFabric said in a report. “PhantomCard is based on Chinese-originating NFC relay malware-as-a-service.”
The Android malware, distributed via fake Google Play web pages mimicking apps for card protection, goes by the name “Proteção Cartões” (package name “com.nfupay.s145” or “com.rc888.baxi.English”).
The bogus pages also feature deceptive positive reviews to persuade victims into installing the app. It’s currently not known how links to these pages are distributed, but it likely involves smishing or a similar social engineering technique.
Once the app is installed and opened, it requests victims to place their credit/debit card on the back of the phone to begin the verification process, at which point the user interface displays the message: “Card Detected! Keep the card nearby until authentication is complete.”
In reality, the card data is relayed to an attacker-controlled NFC relay server by taking advantage of the built-in NFC reader built into modern devices. The PhantomCard-laced app then requests the victim to enter the PIN code with the goal of transmitting the information to the cybercriminal so as to authenticate the transaction.
“As a result, PhantomCard establishes a channel between the victim’s physical card and the PoS terminal / ATM that the cybercriminal is next to,” ThreatFabric explained. “It allows the cybercriminal to use the victim’s card as if it was in their hands.”
Similar to SuperCard X, there exists an equivalent app on the mule-side that’s installed on their device to receive the stolen card information and ensure seamless communications between the PoS terminal and the victim’s card.
The Dutch security company said the actor behind the malware, Go1ano developer, is a “serial” reseller of Android threats in Brazil, and that PhantomCard is actually the handiwork of a Chinese malware-as-a-service offering known as NFU Pay that’s advertised on Telegram.
Go1ano developer, in their own Telegram channel, claims PhantomCard works globally, stating it is 100% undetectable and is compatible with all NFC-enabled point-of-sale (PoS) terminal devices. They also claim to be a “trusted partner” for other malware families like BTMOB and GhostSpy in the country.
It’s worth noting that NFU Pay is one of the many illicit services peddled on the underground that offer similar NFC relay capabilities, such as SuperCard X, KingNFC, and X/Z/TX-NFC.
“Such threat actors pose additional risks to local financial organizations as they open the doors for a wider variety of threats from all over the world, which could have potentially stayed away from certain regions due to language and cultural barriers, specifics…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
