A new Android banking threat has emerged, turning smartphones into tools for high-tech fraud. Cybersecurity researchers have uncovered a sophisticated trojan called PhantomCard, which leverages near-field communication (NFC) to perform relay attacks, a technique that allows attackers to mimic a victim’s card and authorize fraudulent transactions in real time. First detected in Brazil, PhantomCard represents a dangerous evolution in mobile banking threats, combining stealth, technical complexity, and real-world financial impact.

Origins: From China to Brazil

According to ThreatFabric, PhantomCard originates from a Chinese-developed malware-as-a-service (MaaS) platform called NFU Pay.

This platform specializes in NFC relay fraud and is actively marketed on underground forums and Telegram channels. The malware is distributed via fake Google Play pages mimicking legitimate card protection apps, such as “Proteção Cartões,” and uses deceptive reviews to lure victims into installing it. 

Once installed, PhantomCard prompts users to tap their card against the phone and enter their PIN. The data is then relayed to a fraudster’s device, enabling them to conduct transactions as if they physically possessed the card.

Scale and Global Reach

While Brazil remains the primary target, the developer behind PhantomCard—known as Go1ano, which claims the malware is globally compatible and 100% undetectable on all NFC-enabled Point-of-Sale (PoS) terminals.

PhantomCard is part of a growing ecosystem of NFC-based fraud tools, including Super Card X, KingNFC, and Track2NFC, which are widely available in underground markets. 

Related Malware with Global Activity

Other Android banking trojans from the same ecosystem have already expanded beyond Brazil:

• Crocodilus: Active in Argentina, India, Spain, Turkey, and more.
• Spy Banker: Targeting Indian users via WhatsApp and phishing pages. 
• Ghost Spy and BTMOB: Linked to PhantomCard’s developer and active in Latin America

These campaigns show a clear trend: attackers are scaling their operations globally, exploiting mobile banking adoption and NFC technology.

Lessons Learned from PhantomCard

PhantomCard offers several key takeaways for cybersecurity professionals, mobile users, and financial institutions:

1.      NFC Is a Growing Attack Surface

NFC technology, while convenient, is increasingly being exploited. PhantomCard shows how attackers can hijack contactless transactions in real time by passing traditional fraud detection systems.

2.      Social Engineering Remains a Powerful Tool

The malware spreads through fake apps that mimic legitimate banking tools. This highlights the need for user education and vigilance when downloading apps—even from trusted sources.

3.     Globalization of Threats

Although PhantomCard originated in Brazil, its architecture and marketing suggest a global intent. Malware is no longer confined to regional boundaries; it is designed to scale across languages, devices, and financial systems.

Outlook: What’s Next in Android Malware like PhantomCard

As mobile banking continues to grow, so will the sophistication of attacks targeting it. Expect to see:

• More NFC-based fraud, especially in regions with rising contactless payment adoption.
• Cross-platform threats that jump between Android, iOS, and desktop environments.
• Greater collaboration among threat actors, leveraging Telegram and dark web forums to share tools and tactics.

Financial institutions must invest in real-time threat intelligence, user education, and initiative-taking security measures to stay ahead of these evolving threats.