Our Mobile Threat Intelligence service is monitoring NFC-relay threats and tactics since the discovery of NFSkate (aka NGate) in March 2024. Ghost Tap became another milestone on the evolution of NFC-based attacks, where cybercriminals are using NFC relay for cash-out purposes.

Since then, mobile threat landscape has been invaded by several threat actor groups introducing their own tools to perform malicious relay of NFC data of victim’s card to fraudster’s device. The appearance of different malicious implementations serves as an indicator of rising interest and demand amongst cybercriminals for the tools capable of NFC relay fraud.

One of the recent discoveries made by ThreatFabric's analysts continues this trend. In this report we introduce PhantomCard - a new Android NFC-based Trojan targeting banking customers in Brazil and potentially expanding globally. Key takeaways are:

• PhantomCard relays NFC data from victim's banking card to fraudster's device
• PhantomCard is based on Chinese-originating NFC relay Malware-as-a-Service
• The actor behind the malware is a "serial" reseller of Android threats active in Brazil
• PhantomCard is delivered via fake "Google Play" web-pages mimicking apps for "card protection"

PhantomCard - Ghost in the Pocket

ThreatFabric's researchers were monitoring the activity of "Go1ano developer" threat actor known for targeting Brazilian mobile banking users. In July 2025 this actor announced "GHOST NFC CARD" - a new malware able to relay NFC data from victim's card. Our researchers were able to identify and analyse the samples of this malware that we dubbed "PhantomCard" to not interfere with Ghost Card fraud which is related to fictitious card data used in unauthorized transactions. PhantomCard is not related to it and is used for relaying the NFC data from victim's card to the cybercriminal's device.

Distribution and Modus Operandi

Mobile Threat Intelligence service has identified a campaign by PhantomCard targeting Brazilian users. In this campaign, PhantomCard masquerades as “Proteção Cartões” (“Card Protection”) application and is distributed via fake Google Play pages:

Notably, the page also contains fake positive reviews that help to convince victims into installing the malware, referring to successfully blocked scam attempts block:

"Excellent! I received a suspicious activity warning that turned out to be a scam attempt. I was able to act immediately and avoid any losses. I recommend it to everyone who uses a card on a daily basis."

When installed, PhantomCard does not require any additional permissions to be explicitly given by the user and is ready to perform the malicious operations. First, PhantomCard asks victim to present a card:

Translation from Portuguese (Brazil): Tap your card. Place your card on the back of your phone to begin the verification process.

When the card is detected, the screen will change:

Translation from Portuguese (Brazil):  Card Detected! Keep the card nearby until authentication is complete.

At this moment NFC data is ready to be transmitted to the cybercriminal’s device and further used for payment or at ATM by them. The data is transmitted via the NFC relay server under criminals’ control. 

As a next step, PhantomCard will request PIN code to provide it to fraudster to authenticate the transaction (if needed):

Translation from Portuguese (Brazil): 

1. Enter your password. For security reasons, enter your 4-digit password to confirm verification. Is your password 6 digits long? Activate the option below to enter 6 digits.
2. .. Your card is being verified, please wait for the process to complete. Synchronizing with the bank... Verifying security...

 As a result, PhantomCard establishes a channel between victim’s physical card and POS terminal / ATM that cybercriminal is next to. It allows cybercriminal to use victim’s card as if it was in their hands. The following screenshots are taken from the video shared by the actor on Telegram channel, demonstrating PhantomCard operation:

 On the left: “victim” tapping the card against the device infected with PhantomCard. 
 On the right: fraudster paying with the relayed card at POS terminal. 

Examining the roots

While analysing PhantomCard malware, our analysts identified that the actor selling PhantomCard is not the actual developer of the malware. Source code reveals lots of debug messages in Chinese as well as package name referring to "NFU Pay" Malware-as-a-Service promoted on Telegram:

"NFU Pay" is one of the several services available on the underground market similar to SuperCardX, KingNFC, X/Z/TX-NFC, etc. Thus, we conclude that “Go1ano Developer” purchased a customised version of PhantomCard from “NFU Pay” and started providing it as Malware-as-a-Service, already masqueraded to target users of mobile banking. 

Customisability of "NFU Pay", service underlying PhantomCard malware, poses a global risk. Our analysts also identified indicators showing that PhantomCard is a tailor-made threat for Brazilian market, while there could be more. One of the endpoints on the Command-and-Control (C2) server of PhantomCard is "/baxi/b" – “baxi” is “Brazil” from Chinese (巴西, Bāxī). The developers of "NFU Pay" considered the region-tailored versions of their service, and we can further expect more variations of PhantomCard-like malware, operated by different actors and targeting other regions all over the world.

Meanwhile, when promoting PhantomCard, "Go1ano developer" explicitly mentions that it works globally, also being open for relevant adaptation of the malware:

Technical overview

The PhantomCard key feature is the ability to relay NFC card data. It is relying on the NFC reader built in almost all modern devices. Unlike the generic implementation of NFCGate research project (that became the starting point for the NFC attacks and the base for NFSkate), where lots of different NFC tags are supported, PhantomCard’s implementation is more specific to ISO-DEP (ISO 14443-4) standard of contactless cards. This standard is used in EMV cards which are the target for PhantomCard. PhantomCard relies on “scuba_smartcards” library to parse the send and receive data from the card.

When an NFC tag is discovered by PhantomCard, it will first try to parse it into ISO-DEP standard:

If successful, it further sends APDU (Application Protocol Data Unit) command to the card: 

00A404000E325041592E5359532E444446303100 - SELECT 2PAY.SYS.DDF01 – selecting Payment System Environment (PSE) directory

By sending this command to the card, PhantomCard specifically targets EMV cards as “2PAY.SYS.DDF01” is a directory used in EMV payment systems. Specifically, PhantomCard tries to locate available payment applications and read metadata about them:

If no exceptions occur (a card is an EMV card), the data is sent to the server, thus criminals are notified that the victim’s card is ready to be used.

When an attacker attempts to initiate the transaction, PhantomCard expects to receive transaction instruction. It will further parse the command and send it to the card:

PhantomCard is a victim-side piece of the NFC relay tool. In order to initiate a transaction, cybercriminal uses corresponding criminal/mule-side application that is able to receive and emit the data received from the victim's side and ensure the communication between POS terminal and victim's card.

"Serial" reseller

Another insight can be retrieved when analysing activity of "Go1ano developer" threat actor: modern cyber threat actor does not have to be a developer or be technically skilled to distribute/sell malware to other threat actors. With plenty of Malware-as-a-Service threat actors a new type of cyber threat actor appears - a reseller. Such actors are serving the same purpose as "local distributor" in legitimate businesses - promoting, selling and supporting the product on the local market. This allows for Malware-as-a-Service to gain global outreach, "outsourcing" the promotion and further support on rather specific underground markets, without the necessity to gain credibility and dive into local specifics.

Such threat actors pose additional risks to local financial organizations as they open the doors for a wider variety of threats from all over the world, which could have potentially stayed away from certain regions due to language and cultural barriers, specifics of financial system, lack of cash-out ways. This, consequently, complicates the threat landscape for local financial organizations and calls out for proper monitoring of the global threats and actors behind it targeting the organization.

Besides PhantomCard, "Go1ano developer" also claims to be the "trusted partner" of BTMOB, GhostSpy spyware families in Brazil. This fact makes this actor a "serial" reseller, having a diverse portfolio of threats for sale.

During our research, the reseller announced the transfer of rights for the malware families they were selling to "Pegasus Team" - another threat actor already known to ThreatFabric. The name "PegasusSpy" already popped up in our research of Rocinante - another Trojan targeting users from Brazil (and not to be confused with Pegasus spyware).

Conclusion

The appearance of PhantomCard on the mobile threat landscape brings several interesting insights. First of all, it once again confirms the rising popularity of NFC-based attacks among cybercriminals and rising demand in the services that allow performing such attacks. Being Malware-as-a-Service, PhantomCard provides threat actors with an established infrastructure to perform NFC relay fraud, without a need to develop sophisticated software and dissect NFC protocols. Low-tech fraudsters are able to start the fraudulent activity straightaway, only taking care of the distribution of the malware.

Secondly, the activity of the threat actor behind PhantomCard indicates re-selling Modus Operandi. Original software, developed by Chinese-speaking threat actors is taken and customized to serve local demand of the threat actors, opening the doors for broader reach-out. The same is done with other malware families like BTMOB, ensuring their global outreach and awareness of various local threat actors of the existence and capabilities of the malware. This scheme allows local threats reach global “market” and be used by multiple threat actors, even becoming (Malware-as-a-Service)-as-a-Service.

The presence of PhantomCard-like malware on user’s device should be a strong risk indicator for financial organizations as it leads to fraud that is hard to spot with traditional transaction monitoring systems. Transactions would appear as coming from the physical card of the victim, confirmed by the PIN code, and only some unusual metadata about the transaction (merchant, location) might reveal the fraud origin of it. Financial organizations are advised to monitor the activity of malware families like PhantomCard, NFSkate and ensure the awareness amongst the users to prevent them from installing the suspicious applications asking to tap the card against the device to verify/protect it. 

Indicators of Compromise