Cybersecurity researchers have detected a new sophisticated Android malware called FjordPhantom that has been observed targeting users in Southeast Asian countries like Indonesia, Thailand, and Vietnam since early September 2023.
“Spreading primarily through messaging services, it combines app-based malware with social engineering to defraud banking customers,” Oslo-based mobile app security firm Promon said in an analysis published Thursday.
Primarily propagated via email, SMS and messaging apps, the attack series tricks recipients into downloading a purported banking app that is equipped with legitimate features but also contains rogue components.
Victims are then subjected to social engineering techniques such as Telephone-Oriented Attack Delivery (TOAD), which involves calling a fake call center to receive step-by-step instructions on how to run an app.
A key feature of the malware that differentiates it from other banking trojans of its kind is its use of virtualization to run malicious code in a container and fly under the radar.
The secret method breaks Android’s sandbox security because it allows different apps to run on the same sandbox, Promon said, making malware able to access sensitive data without needing root access.
“Virtualization solutions like the one used by the malware can also be used to inject code into an application because the virtualization solution first loads its own code (and everything else found in its app) into a new process and then loads the code of the hosted application,” security researcher Benjamin Adolphi said.
In the case of FjordPhantom, the downloaded host app contained a malicious module and virtualization element that was used to install and launch the targeted bank’s embedded app in a virtual container.
In other words, the bogus app is engineered to load the bank’s legitimate app in a virtual container while also employing a hooking framework within the environment to alter the behavior of key APIs to grab sensitive information from the application’s screen programmatically and close dialog boxes used to warn malicious activity on users’ devices.
“FjordPhantom itself is written in a modular way to attack different banking apps,” Adolphi said. “Depending on which banking app the malware is embedded in, it will perform different attacks on these apps.”