PhantomCard: New NFC-driven Android malware emerging in Brazil

Aug. 14, 2025, 3:32 p.m.

Description

A new Android Trojan called PhantomCard is targeting banking customers in Brazil, with potential for global expansion. The malware relays NFC data from victims' banking cards to fraudsters' devices, enabling unauthorized transactions. Distributed through fake 'Google Play' pages as a 'card protection' app, PhantomCard is based on a Chinese-originating NFC relay Malware-as-a-Service. The actor behind it is a known reseller of Android threats in Brazil. PhantomCard's emergence highlights the growing popularity of NFC-based attacks among cybercriminals and the evolving threat landscape, where local threats can reach global markets through reselling schemes.

External References

https://www.threatfabric.com/blogs/phantomcard-new-nfc-driven-android-malware-emerging-in-brazil
https://otx.alienvault.com/pulse/689dfd7bcdd65dfb01307de4
Tags
malware-as-a-service
brazil
banking fraud
2025-08-14
btmob
phantomcard
ghostspy
card protection
android trojan
nfc relay

Date

  • Created: Aug. 14, 2025, 3:15 p.m.
  • Published: Aug. 14, 2025, 3:15 p.m.
  • Modified: Aug. 14, 2025, 3:32 p.m.

Indicators

  • cb10953f39723427d697d06550fae2a330d7fff8fc42e034821e4a4c55f5a667
  • a78ab0c38fc97406727e48f0eb5a803b1edb9da4a39e613f013b3c5b4736262f
Download all indicators here!

Attack Patterns

  • GhostSpy
  • BTMOB
  • PhantomCard
  • Go1ano developer

Additional Informations

  • Finance
  • Brazil