Cybersecurity experts have unveiled a sophisticated Android malware named FjordPhantom, detected in Southeast Asian countries like Indonesia, Thailand, and Vietnam since early September 2023.
Oslo-based mobile app security firm Promon revealed that the malware primarily spreads through messaging services, utilizing a blend of app-based malware and social engineering to deceive banking customers. It employs email, SMS, and messaging apps to lure victims into downloading a supposed banking app that integrates authentic features alongside malicious elements.
The malware incorporates a social engineering technique reminiscent of telephone-oriented attack delivery (TOAD), guiding victims through instructions by contacting a deceptive call center after installing the rogue app.
FjordPhantom distinguishes itself from other banking trojans by leveraging virtualization to operate malicious code within a container, circumventing Android’s sandbox protections. This method permits the malware to access sensitive data without necessitating root access by executing various apps in the same sandbox.
Security researcher Benjamin Adolphi highlighted the virtualization’s functionality, emphasizing its ability to load its code into a new process and manipulate the targeted bank’s authentic app within a virtual container. This allows the malware to tamper with the app’s behavior, extracting sensitive information from the screen and evading device warnings programmatically.
Google’s spokesperson assured that Google Play Protect defends users against such malicious behavior, warning or blocking apps exhibiting harmful activities, even when sourced from outside Google Play. FjordPhantom’s modular design enables it to target multiple banking apps, executing various attacks contingent upon the embedded banking application.