A newly discovered strain of Android malware, dubbed PhantomCard, is turning contactless payment technology into a weapon for cybercriminals. Banks and security researchers are sounding the alarm after the Trojan was found quietly siphoning payment card data through a clever NFC-based trick.
The Scam: Disguised “Security” App That Steals Your Card
PhantomCard is masquerading as a card-protection tool — an app called Proteção Cartões — hosted on convincing fake Google Play pages. Once installed, it asks victims to tap their payment card to the phone “for protection.” In reality, the app uses NFC (near-field communication) to grab the card’s EMV chip data and PIN, then sends it to a remote server controlled by criminals.
From there, attackers can make the card “appear” at any ATM or point-of-sale terminal, completing transactions as if they had the physical card in hand.
A Growing Business Model for Fraudsters
Investigators say PhantomCard isn’t just a one-off tool. It’s being offered as Malware-as-a-Service (MaaS), meaning anyone willing to pay can deploy it for their own targeted NFC relay attacks. While most cases so far are linked to Brazil, experts warn the technique could spread globally.
This isn’t the first time NFC payments have been exploited — earlier tools like NGate and NFCGate demonstrated similar risks in Europe. The technology’s convenience has also made it a lucrative target: another malware variant, SuperCard X, combined phishing messages, fake banking alerts, and NFC relay cloning to steal funds in Italy, distributed via Telegram.
Why This Attack Works So Well
Unlike traditional banking malware, PhantomCard doesn’t need suspicious permissions that might raise red flags. NFC access is already part of normal Android features, making its activity harder to spot. The result is a stealthy, low-friction attack that can bypass typical bank fraud detection systems.
How to Defend Against NFC Relay Attacks
Security specialists recommend:
- Only install apps from verified sources — avoid links in emails, texts, or social media.
- Disable NFC when you’re not using it.
- Use reputable mobile security software such as Google Play Protect or zDefend.
- Stay alert for unexpected banking notifications and verify before acting.
- Never share your PIN or tap your card to your phone without a clear reason.
With contactless payments now embedded in everyday life, the rise of malware like PhantomCard shows how quickly convenience can be turned against consumers — and why staying a step ahead of scammers is no longer optional.
