Do Son 
Image: ThreatFabric
ThreatFabric’s Mobile Threat Intelligence team has identified PhantomCard, a new Android NFC-based Trojan capable of relaying contactless card data in real time, enabling cybercriminals to make fraudulent payments or ATM withdrawals as if they physically possessed the victim’s card.
According to the researchers, “PhantomCard relays NFC data from victim’s banking card to fraudster’s device… and is based on Chinese-originating NFC relay Malware-as-a-Service.”
Since the discovery of NFSkate (aka NGate) in March 2024 and Ghost Tap, ThreatFabric has observed a surge in NFC-based cash-out tactics. Multiple threat actor groups are now deploying tools that relay NFC payment data from victims’ devices to criminals’ equipment, effectively bypassing the need for stolen physical cards.
The emergence of PhantomCard signals growing demand for NFC relay Malware-as-a-Service—platforms that even low-tech fraudsters can use without developing their own exploits.
ThreatFabric tracked a Brazilian campaign where PhantomCard masqueraded as “Proteção Cartões” (“Card Protection”), hosted on fake Google Play pages complete with counterfeit five-star reviews.
One fabricated testimonial read:
“Excellent! I received a suspicious activity warning that turned out to be a scam attempt… I recommend it to everyone who uses a card on a daily basis.”
Once installed, the app prompts users to tap their bank card on the phone, claiming to begin a verification process. Without any additional permission requests, it reads the card’s NFC data and transmits it via a criminal-controlled relay server.
If a PIN is required for authentication, the Trojan requests it from the victim under the guise of a security check. The result: “a channel between victim’s physical card and POS terminal / ATM that cybercriminal is next to.”
PhantomCard specifically targets EMV cards using the ISO-DEP (ISO 14443-4) standard. Upon detecting an NFC card, it issues the APDU command:
This selects the Payment System Environment (PSE) directory “2PAY.SYS.DDF01” used in EMV systems, allowing the malware to enumerate available payment applications and extract metadata.
ThreatFabric notes that the malware code contains Chinese debug strings and package names referencing “NFU Pay”—a known NFC relay Malware-as-a-Service—indicating PhantomCard is a customized variant purchased from Chinese developers.
The actor distributing PhantomCard, known as “Go1ano developer”, is not the original author. Instead, they are what ThreatFabric calls a “serial” reseller—threat actors who “serve the same purpose as a ‘local distributor’ in legitimate businesses”, adapting foreign malware for local markets.
Go1ano also resells other malware families such as BTMOB and GhostSpy in Brazil, and recently transferred rights for these to another group, Pegasus Team.
While the current PhantomCard build is tailored for Brazil (one C2 endpoint includes “/baxi/b”, with “baxi” meaning “Brazil” in Chinese), ThreatFabric warns that NFU Pay’s customizability means similar Trojans could be adapted for other regions. The reseller even promotes PhantomCard as “working globally.”
Related Posts:
- NFC Release 15 Unleashed: Quadruples Sensing Range, Revolutionizing Contactless Experiences
- “Ghost Tap” Emerges: Cybercriminals Exploit NFC Relay for Contactless Cash-Outs
- ThreatFabric Reveals Dangerous Upgrades in LightSpy Spyware – 28 Plugins Targeting iOS Devices
- Ghost Tap: NFC Fraud Surge Linked to Chinese Cybercriminal Groups
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
