In the world of cybersecurity, criminals never stop innovating, and this time the target is NFC-enabled cards. A new malware called PhantomCard is wreaking havoc in Brazil and, according to experts, could spread to other countries soon.
PhantomCard disguises itself as a “Card Protection” app on fake websites that mimic Google Play. It even displays fabricated positive reviews to convince users to install it.
Once on your device, the malicious app asks you to hold your card close to the phone. At that moment, it captures the NFC information and prompts you to enter your PIN. That combination allows attackers to clone the transaction in real time from another device, as if you were paying at an ATM or point-of-sale terminal thousands of miles away.
In short: your card stays with you, but criminals can use it remotely as if they were right next to you.
Researchers at ThreatFabric discovered that PhantomCard is based on malware developed in China under the Malware-as-a-Service (MaaS) model. This means that even cybercriminals with little experience can rent and deploy it for sophisticated attacks.
In Brazil, a local actor known as Go1ano Developer distributes it, adapting the code to the market. The malware even contains Chinese references to “Brazil” inside its command-and-control server, showing it was customized for that region.
Its operation relies on libraries that process EMV card data and transmits the information to a server controlled by criminals. All of this happens in seconds and remains invisible to the victim.
Read more: New Version of the Triada Malware
The main problem is that the transactions look legitimate: they come from your real card, with the correct PIN. To bank fraud detection systems, everything appears normal. Only suspicious locations or metadata inconsistencies might raise an alert.
This makes PhantomCard especially dangerous, as it exploits the trust in contactless payments and banking infrastructure.
PhantomCard is not alone. Other trojans, like SuperCard X, have already been detected in Europe using similar NFC relay techniques. This reveals a troubling trend: NFC-based attacks are growing, fueled by the malware-as-a-service model, which democratizes these tools among less technical criminals.
Similar titles: PlayPraetor Trojan for Android Infects 11,000+ Devices
At TecnetOne, we recommend:
The appearance of PhantomCard confirms that cybercriminals will continue finding creative ways to exploit technology against us. NFC, designed for fast and secure payments, has now also become an attack vector.
At TecnetOne, we believe the key lies in prevention: while criminals organize and professionalize their services, you can protect yourself by staying informed, adopting smart digital practices, and using security solutions tailored to new threats.