New FjordPhantom Android Malware Targets Banking Apps in Southeast Asia

December 01, 2023NewsroomMobile Security / Banking Security

Android Malware

Cybersecurity researchers have disclosed a new sophisticated Android malware called FjordPhantom which has been observed targeting users in Southeast Asian countries such as Indonesia, Thailand, and Vietnam since early September 2023.

“Spreading primarily through messaging services, it combines app-based malware with social engineering to trick banking customers,” Oslo-based mobile app security company Promon said. SAYS in an analysis published Thursday.

Distributed primarily through email, SMS, and messaging apps, attack chains trick recipients into downloading a purported banking app that has legitimate features but also includes rogue components. .


Victims are then subjected to a social engineering technique similar to telephone attack delivery (TOAD), which involves calling a bogus call center to receive a series of instructions for running the app.

A key characteristic of the malware that distinguishes it from other banking trojans of its kind is the use of virtualization to run malicious code in a container and fly under the radar.

The sneaky approach, Promon said, breaks Android’s sandbox protections because it allows different apps to run in the same sandbox, enabling malware to access sensitive data without needing root access. .

“Virtualization solutions like the one used by malware can also be used to inject code into an application because the virtualization solution first loads its own code (and everything visible in its app) into a new process and then loads the code into the hosted application,” said security researcher Benjamin Adolphi.

In the case of FjordPhantom, the host app that was downloaded included a malicious module and the virtualization element that was then used to install and launch the embedded app on the targeted bank in a virtual container.


In other words, the mini app is engineered to load the legitimate bank app in a virtual container while also using a hooking framework within the environment to change the behavior of the main APIs to get the sensitive information from the application screen by programming and closing dialog boxes used in. warn of malicious activity on users’ devices.

“FjordPhantom itself is written in a modular way to attack different banking apps,” said Adolphi. “Depending on which banking app the malware is embedded in, it will perform different attacks on these apps.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment