ThreatFabric recently revealed PhantomCard, a sophisticated Android banking trojan emerging in Brazil that executes NFC relay fraud by intercepting and transmitting sensitive card data from victims to cybercriminals. The malware masquerades as a “Proteção Cartões” (“Card Protection”) app hosted on fake Google Play Store pages, complete with counterfeit positive reviews to lure unsuspecting victims.
Once installed, PhantomCard prompts users to tap their bank card against their device—without needing additional permissions. It then captures NFC data from the card and transmits it to the attacker. For added deception, the app also requests the user’s PIN code to ensure the cybercriminal can complete point-of-sale (POS) or ATM transactions using the victim’s card in real time.
This campaign is particularly concerning: it's powered by a Chinese-originated Malware-as-a-Service (MaaS), allowing multiple affiliates to deploy customized variations rapidly, regionalizing the fraud to Brazilian users—and potentially beyond..
Zimperium’s Mobile Threat Detection (MTD) and Runtime Protection (zDefend) detect 100% of the samples shared in the original report with high accuracy and in a zero-day fashion using our dynamic detection engine. Further strengthening our protection, we uncovered an additional 8 samples connected to the PhantomCard campaign.
Why This Matters: PhantomCard elevates NFC-based attacks to a new level. Victims are unknowingly facilitating fraud by tapping their cards on their phones—while the criminal completes the transaction remotely using the stolen card information and PIN. Traditional fraud detection systems are unlikely to catch such activity, as transactions appear legitimate and originate from the victim’s own card and PIN.
Financial institutions—especially those operating in Brazil or regions with Brazilians in their customer base—should assume that NFC relay fraud is occurring and ensure mobile defenses can block overlay tactics, detect inappropriate NFC interactions, and intercept suspicious command-and-control communication on-device.
We remain committed to monitoring this threat as it evolves, expanding our detection capabilities, and sharing relevant intelligence to empower security teams to respond swiftly and confidently.
For more technical insights, read ThreatFabric’s full report here.
The list of new IOCs can be found in this repository.