- The newest Echo Show 8 just hit its lowest price ever for Black Friday
- 기술 기업 노리는 북한의 가짜 IT 인력 캠페인··· 데이터 탈취도 주의해야
- 구글 클라우드, 구글 워크스페이스용 제미나이 사이드 패널에 한국어 지원 추가
- The best MagSafe accessories of 2024: Expert tested and reviewed
- Threads will show you more from accounts you follow now - like Bluesky already does
FjordPhantom Android Malware Targets Banks With Virtualization
Security researchers have discovered a new Android malware, known as FjordPhantom, notable for its elusive nature and covert spreading tactics.
The malware was initially reported in early September in Southeast Asia, particularly Indonesia, Thailand and Vietnam, with potential activity in Singapore and Malaysia. It employs a combination of app-based tactics and social engineering to target banking customers.
Writing in an advisory published today, Promon’s Security Research team said it received a sample from an affected customer. The team also learned that one FjordPhantom attack resulted in a substantial loss of 10m Thai Baht (approximately $280,000 at the time of writing).
From a technical standpoint, the malware primarily spreads through email, SMS and messaging apps, prompting users to download what appears to be their bank’s legitimate app.
Read more on Android malware: “FakeCalls” Android Malware Targets Financial Firms in South Korea
Following the download, a social engineering attack is initiated, often supported by a call center, guiding users through app execution. This enables attackers to monitor user actions, potentially guiding transactions or stealing credentials.
The malware’s distinctive feature lies in its use of virtualization, leveraging open source code from GitHub to embed a virtualization solution and hooking framework. By loading apps into virtual containers, FjordPhantom breaks the Android sandbox, allowing different apps to access each other’s files and memory. This approach circumvents traditional root access requirements, making attacks easier and evading root detection measures.
FjordPhantom embeds the APK of a specific banking app it targets, launching it within a virtual container without the user’s knowledge. This method allows the malware to inject additional code, including its own and the hooking framework, tailored for modular attacks on various banking apps.
The advanced sophistication of the malware is evident in its use of the hooking framework to manipulate Accessibility services, GooglePlayServices and UI functionality, thereby evading detection methods and enabling further attacks.
To tackle this threat, Promon urged end users to exercise caution when downloading apps from untrusted sources and outside the primary app stores.