PhantomCard, an NFC-driven Android Trojan in Brazil, relays card data to fraudsters, spread via fake Google Play “card protection” apps.
ThreatFabric warns of PhantomCard, a new Android NFC-driven trojan targeting Brazilian banking customers and possibly expanding globally. The malicious code is based on Chinese NFC relay Malware-as-a-Service, it relays victims’ card data to fraudsters for cash-out. The threat actor behind this campaign is a known reseller of Android threats in Brazil, distributing the malware via fake “Google Play” pages posing as card protection apps.
In July 2025, ThreatFabric researchers monitored the activity of the Brazilian threat actor “Go1ano developer,” who launched “GHOST NFC CARD” malware. The mobile security firm analyzed it and dubbed it PhantomCard to avoid confusion with unrelated Ghost Card fraud.
“Mobile Threat Intelligence service has identified a campaign by PhantomCard targeting Brazilian users. In this campaign, PhantomCard masquerades as “Proteção Cartões” (“Card Protection”) application and is distributed via fake Google Play pages:” reads the report published by ThreatFabric. “Notably, the page also contains fake positive reviews that help to convince victims into installing the malware, referring to successfully blocked scam attempts block:”
PhantomCard relays NFC data from victims’ cards to criminals’ devices for payments or ATM use. Once installed, it prompts victims to tap their card, captures NFC data, and requests the PIN to complete transactions via an NFC relay server under criminal control.
PhantomCard creates a live channel between a victim’s card and a POS/ATM near the criminal, enabling real-time fraudulent payments. A Telegram video shows a victim tapping their card while a fraudster pays remotely. Analysis revealed “Go1ano Developer” is reselling the malware, but he isn’t the author.
The researchers found PhantomCard is tailored for Brazil, as demonstrated its C2 endpoint “/baxi/b” (“Brazil” in Chinese). NFU Pay’s developers support region-specific versions, suggesting future variants targeting other regions globally.
PhantomCard’s code contains Chinese debug messages and references to “NFU Pay” MaaS, indicating “Go1ano Developer” bought and customized it to target mobile banking users.
The malware relays NFC card data using built-in device readers, targeting EMV cards via the ISO-DEP (ISO 14443-4) standard. It uses the “scuba_smartcards” library to parse data, sends the APDU 00A404000E325041592E5359532E444446303100 to select the EMV PSE directory, and uploads metadata to its server. A tool installed on the victim’s side works with a criminal-side app to relay transactions between the POS terminal and the victim’s card in real time.
The Android malware highlights the growing popularity of NFC-based attacks and the demand for services enabling them. Offered as Malware-as-a-Service, it lets low-tech fraudsters perform NFC relay fraud without deep technical skills. The Chinese-developed malware was customized for local actors, reflecting a re-selling model seen with other threats like BTMOB. For banks, PhantomCard poses a high fraud risk, as transactions appear legitimate, requiring better monitoring and user awareness to detect and prevent such scams.
“The presence of PhantomCard-like malware on user’s device should be a strong risk indicator for financial organizations as it leads to fraud that is hard to spot with traditional transaction monitoring systems.” concludes the report. “Transactions would appear as coming from the physical card of the victim, confirmed by the PIN code, and only some unusual metadata about the transaction (merchant, location) might reveal the fraud origin of it.”
In April, Cleafy researchers discovered another malware-as-a-service (MaaS) called SuperCard X targeting Android devices with NFC relay attacks for fraudulent cash-outs.
Attackers promote the MaaS through Telegram channels, analysis shows SuperCard X builds had Telegram links removed, likely to hide affiliate ties and hinder attribution, suggesting efforts to evade detection. Analysis of the SuperCard X campaign in Italy revealed custom malware builds tailored for regional use.
This campaign used an NFC-relay technique to hijack POS and ATM transactions by relaying intercepted card data. The malware was delivered via social engineering, attackers attempt to trick victims into tapping cards on infected phones. The researchers linked the campaign to the Chinese-speaking MaaS platform “SuperCard X,” they noticed the malware shares code with the NGate malware.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, NFC)
