PhantomCard: NFC Relay Trojan Targeting Android Users

Cybersecurity researchers have uncovered PhantomCard, a newly identified Android trojan exploiting near-field communication (NFC) technology to perform relay attacks, enabling fraudulent financial transactions. The malware has been observed targeting banking customers in Brazil, with evidence linking it to Chinese malware-as-a-service (MaaS) operations.

How PhantomCard Works

According to ThreatFabric, PhantomCard relays real-time NFC data from a victim’s physical banking card to a cybercriminal’s device, effectively allowing the attacker to use the card remotely at a point-of-sale (PoS) terminal or ATM.

The trojan is disguised as a legitimate card protection app named "Proteção Cartões" (package names: com.nfupay.s145 or com.rc888.baxi.English) and is distributed through fake Google Play web pages complete with fabricated positive reviews.
Once installed, the app prompts users to place their card against the phone for “verification,” while secretly sending NFC data to an attacker-controlled relay server. It then requests the victim’s PIN code, completing the authentication chain for fraudulent transactions.

Technical Details

PhantomCard’s attack chain mirrors earlier threats like SuperCard X, with a companion mule-side app installed on the attacker’s device to complete the relay. ThreatFabric attributes the malware’s development to the Go1ano actor, a known reseller of Android threats in Brazil, leveraging the NFU Pay service advertised on Telegram.

Key traits:

• No PIN bypass – Relies on harvesting the legitimate PIN.

• Global compatibility – Works with most NFC-enabled PoS devices.

• MaaS ecosystem – Integrated with other malware like BTMOB and GhostSpy.

Growing NFC Relay Threat Landscape

NFC relay attacks are not unique to Brazil. Resecurity reports similar fraud spikes in Southeast Asia, particularly the Philippines, where contactless payment adoption and low-value PIN exemptions make detection challenging. Multiple underground tools — Z-NFC, KingNFC, Track2NFC — offer similar capabilities.

Related Android Banking Malware

The report coincides with the discovery of SpyBanker, a separate Android malware in India distributed via WhatsApp as a fake customer service app. SpyBanker diverts incoming calls, gathers sensitive data, and can manipulate banking communications.

Other campaigns have delivered credit card phishing apps posing as legitimate bank applications. These droppers dynamically load malicious payloads, including the XMRig cryptocurrency miner, while presenting cloned interfaces from real banking websites to collect card details.

Security Implications

PhantomCard’s emergence underscores the evolution of banking malware, where attackers exploit hardware features like NFC alongside social engineering. With MaaS offerings lowering the barrier for cybercriminal entry, local financial institutions face increased risks from globally sourced threats.

Recommendations for Users and Banks

• Avoid installing apps from unverified links or third-party app stores.

• Banks should enforce transaction risk scoring and multi-factor authentication for contactless payments.

• Monitor for anomalous PoS transaction patterns, especially involving foreign terminals.