Cybersecurity researchers have disclosed a new Android Trojan called Phantomcard, which abuses near field communications (NFCs) to carry out relay attacks to promote fraudulent transactions in attacks targeting Brazilian bank customers.
“Phantomcard relays NFC data from victims’ bank cards to fraudsters’ devices,” Threatfabric said in the report. “Phantomcard is based on its Chinese as a service as NFC relay malware.”
Android malware distributed via fake Google Play web pages that mimic apps for card protection is used under the name “ProteçãoCartis” (package name com.nfupay.s145″ or “com.rc888.baxi.english”).
The fake page also features a deceptive positive review to convince victims to install the app. Currently, we don’t know how links to these pages will be distributed, but it could include smming and similar social engineering techniques.
Once the app is installed and opened, ask the victim to place their credit/debit card on the back of the phone to begin the verification process. At this point, the user interface will receive a message saying “Card will be detected! Keep the card nearby until authentication is complete.”
In reality, card data is relayed to an attacker-controlled NFC relay server by utilizing an embedded NFC reader built into modern devices. The Phantomcard-Laced app requires the victim to enter a PIN code with the aim of sending information to Cybercriminal to authenticate the transaction.
“As a result, Phantomcard establishes a channel between the victim’s physical card and the POS terminal/ATM where the cybercriminal is located next to it,” Threatfabric explained. “It allows cybercriminals to use the victim’s card as if it were in their hands.”
Like Supercard X, there is an equivalent app on the Mule side that is installed on the device to receive stolen card information and ensure seamless communication between the POS terminal and the victim’s card.
The Dutch security company said the Go1ano developer, the actor behind the malware, is a “serial” reseller of the Brazilian Android threat, and that Phantomcard is actually a handcraft of a service known as Chinese malware known as NFU Pay, advertised on Telegram.
The Go1ano developers say on their own Telegram channel that Phantomcard is globally functional, 100% undetectable and compatible with all NFC-enabled POS (POS) terminal devices. They also claim to be “trusted partners” for other malware families such as BTMOB and GhostSpy in the country.
It is worth noting that NFU Pay is one of many illegal services that have been carried out underground, offering similar NFC relay capabilities such as Supercard X, KingNFC, X/Z/TX-NFC.
“Threat actors like these pose additional risks to local financial organizations to open the door to a wide range of threats from around the world, which could lead to certain regions being distant from the sphere due to language and cultural barriers, financial system details and cash shortages,” Threatfabric said.
“This consequently complicates the threat landscape for local financial organizations and calls for proper surveillance of the global threats and actors behind them targeting the organization.”
A report released last month said in a warning about a surge in NFC-enabled fraud in the Philippines that the return was bad for Southeast Asia as a test ground for NFC fraud, with actors targeting regional banks and financial service providers.
“With tools like Z-NFC, X-NFC, Super Card X, and Track 2NFC, attackers can clone stolen card data and use NFC-enabled devices to carry out unauthorized transactions,” Resecurity said.
“These tools are widely available in underground forums and private messaging groups. The resulting fraud appears to come from trusted, authenticated devices, making it difficult to detect the resulting fraud. The use of contact payments increases, less valuable transactions bypass pin verification, and such attacks are frequently strolled, making them difficult to attack and difficult to stop in real time.”
This disclosure comes when K7 Security discovers an Android malware campaign called SpyBanker targeting Indian bank users who are likely to be distributed to users via WhatsApp under the guise of a customer help service app.
“Interestingly, this Android SpyBanker malware registers a service called “CallForwardingService” and redirects the user’s call, editing the “CallForward Number” to a hard-coded mobile number controlled by the attacker,” the company said. “A call to the victim when left unattended will be reused to a call forwarding number to carry out the malicious activity they wish to do.”
Additionally, the malware is equipped with the ability to collect victim SIM details, confidential bank information, SMS messages, and notification data.
Indian bank users will remove Xmrig Cryptocurrency Miner on compromised devices at the same time as targeting Android malware designed to suck up financial information. Malicious credit card apps are distributed via compelling phishing pages that use real assets obtained from official bank websites.
Here’s a list of malicious apps –
Axis Bank Credit Card (com.nwilfxj.fxkdr)ICICI BANK CREED CARD (com.nwilfxj.fxkdr)indusind Credit Card (com.nwilfxj.fxkdr) State Bank India Credit Card (com.nwilfxj.fxkdr)
The malware is designed to display fake user interfaces that encourage victims to enter personal information, such as their name, card number, CVV code, expiration date, and mobile phone number. A notable aspect of the app is that it allows you to trigger the Mining process to hear specific messages sent via Firebase Cloud Messaging (FCM).
“Apps delivered through these phishing sites act as droppers, meaning that they look harmless at first, but later dynamically load and run actual malicious payloads,” says Dexter Shin, a researcher at McAfee. “This technique helps avoid static detection and complicate the analysis.”
“These phishing pages will load images, JavaScript and other web resources directly from the official website to make them look legitimate. However, they contain additional elements such as the “Get App” and the “Download” button.
The findings also follow a report from Zimperium Zlabs, detailing how rooting frameworks such as Kernelsu, Apatch, and Skroot can be used to gain root access and escalate privileges, allowing attackers to gain full control of their Android devices.
The mobile security company said a security flaw in Kernelsch (version 0.5.7) was discovered in mid-2023. This said it allows attackers to authenticate as the kernel manager and can completely compromise rooted Android devices through malicious applications already installed.
However, an important caveat to stop this attack is that the threat actor application is only effective if it is run before a legitimate kernel manager application.
“Strong authentication and access control are essential because system calls can be triggered by any app on the device,” said security researcher Marcel Baskettle. “Unfortunately, this layer often opens the door to serious security risks, or is often ignored entirely. Inappropriate authentication allows malicious apps to gain root access and compromise on their devices entirely.”
Source link
