From Fake Apps to ATM Accomplices — Clever Schemes Are Surprising Even Researchers

A new Android malware campaign is targeting banking customers in Brazil, India, and Southeast Asia, combining NFC-based contactless fraud, call interception, and device exploitation.

A new Android malware campaign is targeting banking customers in Brazil, India, and Southeast Asia, combining NFC-based contactless fraud, call interception, and device exploitation.
PhantomCard: Relay Attacks via NFC
Researchers at ThreatFabric report that the PhantomCard trojan uses near-field communication to conduct relay attacks. Criminals obtain a victim’s card data and transmit it via a controlled server to an accomplice’s device near a payment terminal or ATM. This creates a channel allowing transactions as if the physical card were in the criminal’s hands.
PhantomCard is distributed through fake Google Play pages, disguised as a “Proteção Cartões” app with fabricated positive reviews. After installation, it prompts users to tap their bank card to the phone “for verification” and enter their PIN — both of which are sent to the attacker. A counterpart app on the accomplice’s device syncs with the payment terminal.
ThreatFabric attributes the malware to Brazilian seller Go1ano, who uses the Chinese platform NFU Pay, offering similar services as part of “malware-as-a-subscription.” Comparable solutions include SuperCard X, KingNFC, and X/Z/TX-NFC. Experts warn that such services lower language and infrastructure barriers, enabling wider attacks.
Southeast Asia: NFC Abuse
Resecurity’s July reports highlight that Southeast Asia — especially the Philippines — has become a testing ground for contactless fraud. Rising NFC payment popularity, particularly for small transactions without PIN entry, makes unauthorized payments easier and harder to trace.
India: SpyBanker and Fake Loan Apps
K7 Security discovered an Indian campaign using the SpyBanker Android trojan, spread via WhatsApp as a fake bank support app. It changes the call forwarding number to a preset one to intercept inbound calls and collects SIM data, banking details, SMS messages, and notifications.
Another Indian attack vector involves fake credit apps branded with major banks, downloaded from phishing sites. According to McAfee, these APKs act as “droppers,” fetching a malicious module after installation. The fake interface mimics real bank apps, asking for full name, card number, CVV, expiry date, and phone number.
Additional Malicious Features
Built-in functionality lets the malware run an XMRig cryptocurrency miner upon receiving certain Firebase Cloud Messaging commands. To disguise itself, it loads images and scripts from legitimate bank sites, with “Download” buttons linking to infected files.
Key Takeaway
The variety of methods shows that mobile devices are increasingly at the center of financial attacks, and trust in familiar communication and payment channels has become the main weak point in user security.