Welcome to VelSicuro.com | Cybersecurity Solutions

New Bank Theft Mode: PhantomCard Malware Exploits NFC and Phone Root Access.

New Bank Theft Mode: PhantomCard Malware Exploits NFC and Phone Root Access.
By VELSICURO
10 October 2025
19 views
News

New Bank Theft Mode: PhantomCard Malware Exploits NFC and Phone Root Access.

The banking world is facing a wave of sophisticated new cyberattacks, led by the Android malware named PhantomCard. This attack, first detected in Brazil but with the potential to spread to Southeast Asia and globally, is specifically designed to steal bank card data by exploiting Near-Field Communication (NFC) technology, social engineering techniques, and even vulnerabilities in rooted devices.

PhantomCard's Modus Operandi and NFC Crime

PhantomCard is a trojan offered through the Chinese Malware-as-a-Service (MaaS) model called NFU Pay. It enables cybercriminals to conduct transactions as if they were holding the victim's physical card.

  • Tactical Distribution: The malware is spread via a fake website that mimics the Google Play Store, disguised as a card security application called "Proteção Cartões." Scammers use smishing or social engineering tricks to direct victims to the fraudulent download page.
  • Real-time Data Theft: Once installed, the app instructs victims to tap their physical card against the back of their phone for a fake "verification." During this process, the card data (including the PIN, if requested) is relayed in real-time to the attacker's server, allowing them to use it for illegal transactions.
  • Criminal Network: PhantomCard is openly marketed by resellers like the Go1ano developer, alongside similar products (SuperCard X, KingNFC, X/Z/TX-NFC), illustrating that cybercrime is now operating like an organized digital service.

Other Threats and Evolving Attack Techniques

The threats against banking are not limited to NFC relay fraud:

  • Ghost Tap: A Mandarin-speaking criminal syndicate uses a similar NFC relay technique called Ghost Tap. They steal card details, integrate them into digital wallet services (Apple Pay/Google Pay), and use burner phones operated by couriers (mules) to purchase physical goods via contactless payment, which are then resold for profit.
  • SpyBanker: This malware spreads via WhatsApp, masquerading as a bank service application. Its function is to divert the victim's incoming phone calls, allowing the attacker to steal OTP codes and call-based verifications.
  • Root Exploitation: Researchers have discovered the misuse of Android rooting frameworks (such as KernelSU, APatch) by criminals to gain full control over victims' devices, leveraging weaknesses in the system's authentication layer.
  • Fake Apps: Fraudulent applications mimicking major bank services are circulating outside the Play Store, acting as a dropper to install further malicious software, including the XMRig cryptocurrency miner.

Implications and The Need for Collaboration

The Malware-as-a-Service model has made cybercrime more accessible, organized, and cross-border.

Financial institutions must immediately upgrade their real-time fraud detection systems and multi-factor authentication, while also educating customers. Given the continuous evolution of these threats (as demonstrated by Ghost Tap and other Android malware), close collaboration is essential among banks, technology providers (such as Google, which states that Play Protect can block known malware), and global cybersecurity authorities.

 

Source : https://csirt.or.id/berita/ancaman-baru-phantomcard-serang-bank

Tags

Popular article

Categories

Tags

koperasidigital inovasi-digital penjualan-online cybersecurity keamanansiber milenial keuanganmilenial inovasikoperasi teknologikeuangan generasimuda comodosecurity xcitium rebranding infokeamanan pemilihansistemedr caramemilihedr keamananendpoint solusiedr edrbisnis keamanan-siber layanan-keamanan-digital koperasi-digital strategi-koperasi angelinasondakh hackerinstagram keamanandigital hacking kerugianfinansial reaktif-vs-proaktif marketingbisniskuliner pemasaranrestoran strategipromosikuliner digitalmarketingkuliner brandingkuliner updatesoftware manfaat-update-software bisnis pariwisata branding perusahaan strategi trend kebocoran-data indihome teknologi kebocoran-data-indihome hacker-menyerang-indihome digital-secure vpn protection-digital artis selebritas instagram hack hacker akuninstagramangelinasondakhdiretas digital bjorka keamanan melindungidatadiri caramencegahhacker datapribadi adware digital-tecnology awareness cyber-threat-defense doxing serangandoxing datapribbadi ancamansiter privasi malware type-malware katasandi password kebocoran data whatsapp penjahatsiber kejahatansiber cookies militer cybersecuritytraining cyberdrills criticalinfrastructureprotection simulatedcyberattack financialcyberdefense otsecurity manajemen-siber manajemen-perencanaan-strategi-keamanan-siber management-strategic-cybersecurity-planning aset-digital pelatihan-keamanan-siber serangan-siber pengertian-malware jenis-malware static-malware-analysis analisis-statis-malware statis-malware penanganan-malware ancaman-siber serangan-malware cyber-security pemindaian-retina retina-mata worldcoin openai privasi-data cyber siber keamanan-data data-privasi blackout pemadaman-listrik bali risiko-siber secured-cloud-mitigation cloud komputasi-awan cloud-computing pelatihan mitigasi-cloud audit-cloud pelatihan-cyber-security tata-kelola-keamanan-siber skype microsoft microsoft-teams data-pribadi siber-keamanan pelatihan-cyber pelatihan-siber phishing jenis-phishing serangan-phishing email cyber-ranges threat-hunting pengertian-threat-hunting training strategi-keamanan red-team blue-team kemanan-siber red-team-and-blue-team junior-penetration-tester cybersecurity-karier pekerjaan-cybersecurity sosial-media media-sosial gaji pendapatan gaji-cybersecurity nominal-gaji-cybersecurity kata-kunci peretasan internet kecanduan kecanduan-internet pelatihan-cybersecurity indonesia repons-insiden incident-response fase-persiapan keamanan-digital elasticsearch elk threat-actors threat-modeling osint investigasi-siber investigasi cyber-risk-quantification android reverse-engineering-andoid ransomware cyber-attack vanhelsing vanhelsing-ransomware powershell windows kejahatan-siber kebobolan-data keuangan sektor-keuangan ancaman intrusion-detection intrusion-detection-system adidas serangan windows-penetration-testing deloitte data-bocor salt-typhoon mitre-attack cybersecurity-jakarta cybersecurity-platform velsicuro cyber-security-jakarta cyber-awareness cyber-awaress cyber-education cyber-training cyberawareness cyberattack deepfake artificialintelligence cyberranges cybereducation cyberanges-velsicuro china siber-global-salt-typhoon global cyberrangesvelsicuro cybersecurity-training cyberdefenderindonesia latihansiber banggaindonesia indonesiagemilang generasidigital cyberranges-velsicuro

Need Any Technology Solution

Let’s Work Together on Project

GET STARTED

We work with a passion of taking challenges and creating new ones in advertising sector.

Menu

Contact Information

  • 087890908898
  • hub@velsicuro.co.id
  • HEAD OFFICE JHONTAX TB SIMATUPANG,
    GEDUNG 18 OFFICE PARK
    Jl. TB Simatupang No.Kav. 18, 21th Floor, Kebagusan, Ps. Minggu, Kota Jakarta Selatan, Daerah Khusus Ibukota Jakarta 12520

© 2024 velsicuro.com. All Rights Reserved. Developed by SevenLight.ID

velsicuro.com