A New Wave of Android Malware Threatens Banking Security

A sophisticated new wave of Android malware is targeting banking customers, particularly in Brazil, through a multi-pronged attack strategy. This malware leverages Near-Field Communication (NFC) relay fraud, call hijacking, and exploits that grant root access to devices, posing a significant threat to financial data and transactions.

PhantomCard: NFC Relay Fraud in Action

Researchers have identified a new Android trojan named PhantomCard, which is designed to exploit NFC capabilities for fraudulent transactions. Distributed through deceptive Google Play web pages mimicking legitimate card protection apps, PhantomCard tricks users into installing it. Once installed, the app prompts users to place their credit or debit card on the back of their phone for a fake verification process. In reality, the malware relays the card data to an attacker-controlled server, enabling cybercriminals to conduct transactions as if they possessed the physical card. This technique is facilitated by a companion app on the fraudster's device that receives the stolen card information and communicates with Point-of-Sale (PoS) terminals or ATMs.

• NFC Relay Attack: Exploits NFC to relay card data for fraudulent transactions.

• Distribution: Via fake Google Play web pages mimicking card protection apps.

• Mechanism: Prompts users to place cards on their phone for "verification," then relays data.

• Origin: Based on a Chinese malware-as-a-service offering called NFU Pay.

SpyBanker and Root Exploits Escalate Threats

Adding to the threat landscape, a separate campaign dubbed SpyBanker has been uncovered, targeting Indian banking users. This malware, likely distributed via WhatsApp, manipulates call forwarding settings to redirect incoming calls to an attacker-controlled number, potentially for malicious activities. SpyBanker also possesses the ability to steal sensitive banking information, SIM details, SMS messages, and notification data.

Furthermore, the research highlights the exploitation of rooting frameworks like KernelSU, APatch, and SKRoot. A vulnerability discovered in KernelSU (version 0.5.7) could allow malicious applications to gain root access and full control of a compromised Android device, especially if the malicious app is executed before the legitimate KernelSU manager. This underscores the importance of robust authentication and access controls on devices with elevated privileges.

Broader Implications for Financial Security

These evolving threats, including NFC relay services like SuperCard X, KingNFC, and X/Z/TX-NFC, indicate a growing trend of sophisticated attacks targeting financial institutions globally. The ease with which these tools are shared on underground forums and messaging groups complicates the threat landscape, making it harder for financial organizations to monitor and defend against emerging threats. The rise in contactless payments in regions like the Philippines further exacerbates the risk, as low-value transactions may bypass PIN verification, making fraud harder to detect and trace in real-time.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• New Android Malware Wave Hits Banking via NFC Relay Fraud, Call Hijacking, and Root Exploits, The Hacker News.