PhantomCard

PhantomCard is an Android NFC-relay banking trojan first identified by ThreatFabric. It is described as a China-origin NFC relay malware-as-a-service variant primarily targeting banking customers in Brazil, with reporting indicating it may be adaptable to other regions and potentially expand globally. The malware has been distributed via fake Google Play pages and masqueraded as a card-protection application named “Proteção Cartões” (“Card Protection”), including fabricated positive reviews to lure victims.

PhantomCard abuses near-field communication to conduct relay attacks against contactless payment cards, specifically EMV cards using ISO-DEP (ISO 14443-4) communications. It instructs victims to tap their payment card against the infected Android device and then prompts them to enter a 4-digit or 6-digit PIN. After detecting the card, the malware prepares and relays NFC card data through attacker-controlled infrastructure, establishing a communication channel between the victim’s physical card and a POS terminal or ATM near the fraudster, enabling fraudulent payments or cash-outs. Reported implementation details include use of the scuba_smartcards library for parsing payment-card data and the APDU command 00A404000E325041592E5359532E444446303100 to select the EMV Payment System Environment directory 2PAY.SYS.DDF01. Reporting also states the criminal operation requires a separate mule-side application to receive relayed data and communicate with the POS terminal.

ThreatFabric assessed that the actor advertising the malware as “Go1ano developer” was likely a reseller rather than the original developer. Supporting evidence included multiple Chinese debug strings in the code and references to “NFU Pay,” a Telegram-promoted NFC relay MaaS platform. ThreatFabric concluded that Go1ano developer likely purchased a customized version from NFU Pay and resold it. The malware’s C2 included an endpoint path “/baxi/b,” noted as corresponding to “Brazil” in Chinese, supporting assessment that the observed variant was tailored for the Brazilian market. Additional reporting places PhantomCard among a broader wave of NFC-enabled Android fraud tooling documented from 2024 to 2025.

High-confidence indicators of compromise reported by ThreatFabric include Android package com.nfupay.s145 with SHA-256 a78ab0c38fc97406727e48f0eb5a803b1edb9da4a39e613f013b3c5b4736262f, and package com.rc888.baxi.English with SHA-256 cb10953f39723427d697d06550fae2a330d7fff8fc42e034821e4a4c55f5a667.