New Android Malware Wave Hits Banking via NFC Relay, Fake Apps, and Root Exploits

New Android Malware Wave Hits Banking via NFC Relay, Fake Apps, and Root Exploits

Cybersecurity researchers have uncovered PhantomCard, a new Android banking trojan that abuses near-field communication (NFC) to conduct relay fraud.

🔑 How it works:

• Victims install fake “card protection” apps from spoofed Google Play pages.
• The app tricks users into placing their bank card on the phone, then secretly relays card data to attackers.
• Victims are prompted to enter their PIN, giving fraudsters everything they need to authenticate transactions remotely.

The malware creates a direct channel between the victim’s card and a criminal’s PoS terminal/ATM, effectively letting attackers “tap to pay” as if they had the physical card.

But PhantomCard is not alone. Researchers also found:

• SpyBanker in India, hijacking calls and stealing SIM/banking data.
• Fake credit card apps for major Indian banks that steal card details and even mine cryptocurrency.
• Malware exploits root frameworks (KernelSU, APatch, SKRoot) to take complete device control.

📌 Why this matters
These attacks are part of a broader wave of NFC-based fraud tools (SuperCard X, KingNFC, Ghost Tap) being sold on underground forums and Telegram channels. Criminal groups are expanding operations across Brazil, Southeast Asia, and India – regions with high contactless payment adoption.

✅ How to protect yourself:

• Only install apps from official app stores and verified publishers.
• Enable Google Play Protect (on by default).
• Be cautious of requests to enter card PINs or install “security” apps sent via SMS/WhatsApp.
• Financial institutions should strengthen fraud detection for NFC transactions and monitor for emerging global threats.

👉 At Alcaeus Services, we don’t just report threats — we help organizations stay ahead of them.