New FjordPhantom Android Malware Targets Banking Apps in Southeast Asia
Security researchers recently uncovered a sophisticated Android malware named FjordPhantom, which has been actively targeting users in Southeast Asian countries, including Indonesia, Thailand, and Vietnam, since early September 2023.
According to an analysis by Oslo-based mobile app security firm Promon, FjordPhantom employs a combination of app-based malware and social engineering techniques to defraud banking customers. The malware predominantly spreads through messaging services, utilizing email, SMS, and messaging apps to trick recipients into downloading a fake banking app. This deceptive app includes seemingly legitimate features but also incorporates malicious components.
One distinctive feature of FjordPhantom is its use of virtualization to run malicious code within a container, allowing it to operate discreetly. This technique breaks Android sandbox protections by enabling different apps to run on the same sandbox, granting the malware access to sensitive data without requiring root access.
Security researcher Benjamin Adolphi explained that virtualization solutions used by the malware can inject code into an application by loading its own code into a new process and then introducing the code of the hosted application. In the case of FjordPhantom, the malicious module is included in the host app, along with the virtualization element. This combination is utilized to install and launch the embedded app of the targeted bank within a virtual container.
Essentially, the deceptive app loads the legitimate banking app in a virtual container while employing a hooking framework to alter the behavior of key APIs. This manipulation allows FjordPhantom to programmatically capture sensitive information from the legitimate app screen and close dialog boxes intended to warn users about malicious activity.
When asked for a response, a Google spokesperson assured users that Google Play Protect provides protection by warning or blocking apps exhibiting malicious behavior on Android devices with Google Play Services, even if sourced from outside Google Play.
FjordPhantom is designed in a modular way, allowing it to adapt its attacks based on the specific banking app it targets. Depending on the embedded banking app, the malware tailors its attacks to exploit vulnerabilities in various banking applications.