Beware of FjordPhantom: Phony Bank App Malware Targets Your Money
Promon has uncovered a novel Android malware dubbed FjordPhantom, which employs a unique virtualization tactic to evade detection by executing malicious code within a specialized container.
The essence of the FjordPhantom attack lies in deceiving victims into downloading counterfeit banking applications that mimic genuine ones. In reality, these applications harbor malicious code operating within a virtual environment, aimed at sabotaging the functionality of the actual banking application. The primary objective of this infiltration is the theft of online banking credentials and the manipulation of account transactions.
The malware is disseminated through emails, SMS, and messaging apps, with attacks recorded in Southeast Asian countries, including Indonesia, Thailand, Vietnam, Singapore, and Malaysia. Notably, one instance of FjordPhantom’s deployment led to a staggering theft of $280,000 from a victim, made possible by the malware’s elusive nature combined with social engineering in the form of calls from bank customer support representatives.
Image: Promon
FjordPhantom utilizes virtualization to create a virtual container on the victim’s device, unbeknownst to the user. The malicious code operates within this container alongside the legitimate banking application, enabling it to manipulate data and intercept confidential information.
Particularly alarming is the fact that FjordPhantom breaches the fundamental security concept of the Android Sandbox, designed to prevent applications from interacting with each other. This makes the attack exceptionally dangerous as modifications in the banking application’s code do not occur, rendering conventional malware detection methods ineffective.
Moreover, FjordPhantom can block functionalities related to GooglePlayServices, complicating the detection of root security checks. The malware is also capable of intercepting log data, indicating its active development and refinement for targeted attacks on other applications. Promon warns that given the ongoing development of FjordPhantom, the malware may potentially expand its scope of influence in the future, targeting new countries and objectives.
