Think & Built Bigger Faster Better

Since early September 2023, users in Southeast Asian nations like Indonesia, Thailand, and Vietnam have been discovered to be targeted by a new and highly sophisticated Android virus known as FjordPhantom, according to cybersecurity analysts.

In an analysis released on Thursday, Promon, a mobile app security firm located in Oslo, stated that the primary method of defrauding banking customers is through the combination of social engineering and app-based malware, which is spread through messaging services.

Attack chains are primarily distributed through email, SMS, and messaging applications. They deceive victims into downloading a fake banking program that appears to have authentic functionality but actually contains malicious elements.

After then, victims are put through a social engineering technique similar to telephone-oriented attack delivery (TOAD), wherein they are required to call a fake call center in order to obtain instructions on how to launch the application step-by-step.

One of the malware’s primary distinguishing features from previous banking trojans of its type is its ability to run malicious code in a container and remain undetected through the use of virtualization.

According to Promon, the devious technique circumvents Android’s sandbox safeguards by permitting many apps to operate within the same sandbox, so granting the malware access to confidential information without necessitating root access.

“Virtualization solutions like the one used by the malware can also be used to inject code into an application because the virtualization solution first loads its own code (and everything else found in its app) into a new process and then loads the code of the hosted application,” Benjamin Adolphi, a security researcher, said.

In the case of FjordPhantom, the virtualization element and malicious module included in the downloaded host app are used to install and run the targeted bank’s embedded software in a virtual container.