FjordPhantom Android Malware Targets Banks With Virtualization

Written by

Security researchers have discovered a new Android malware, known as FjordPhantom, notable for its elusive nature and covert spreading tactics.

The malware was initially reported in early September in Southeast Asia, particularly Indonesia, Thailand and Vietnam, with potential activity in Singapore and Malaysia. It employs a combination of app-based tactics and social engineering to target banking customers. 

Writing in an advisory published today, Promon’s Security Research team said it received a sample from an affected customer. The team also learned that one FjordPhantom attack resulted in a substantial loss of 10m Thai Baht (approximately $280,000 at the time of writing).

From a technical standpoint, the malware primarily spreads through email, SMS and messaging apps, prompting users to download what appears to be their bank's legitimate app. 

Read more on Android malware: “FakeCalls” Android Malware Targets Financial Firms in South Korea

Following the download, a social engineering attack is initiated, often supported by a call center, guiding users through app execution. This enables attackers to monitor user actions, potentially guiding transactions or stealing credentials.

The malware’s distinctive feature lies in its use of virtualization, leveraging open source code from GitHub to embed a virtualization solution and hooking framework. By loading apps into virtual containers, FjordPhantom breaks the Android sandbox, allowing different apps to access each other’s files and memory. This approach circumvents traditional root access requirements, making attacks easier and evading root detection measures.

FjordPhantom embeds the APK of a specific banking app it targets, launching it within a virtual container without the user’s knowledge. This method allows the malware to inject additional code, including its own and the hooking framework, tailored for modular attacks on various banking apps. 

The advanced sophistication of the malware is evident in its use of the hooking framework to manipulate Accessibility services, GooglePlayServices and UI functionality, thereby evading detection methods and enabling further attacks.

To tackle this threat, Promon urged end users to exercise caution when downloading apps from untrusted sources and outside the primary app stores.

What’s hot on Infosecurity Magazine?