Promon has announced the discovery of a new form of banking malware dubbed FjordPhantom.
FjordPhantom targets banks throughout SouthEast Asia and is successfully used by malicious hackers to commit fraud.
Promon received reports of a new Android malware spreading in Southeast Asia in early September, primarily Indonesia, Thailand, and Vietnam. Promon also believes that the malware is active in Singapore and Malaysia. In discussions with banks in the region, Promon has learned that one customer was defrauded out of 10 million Thai Baht (approximately $280,000) at the time of writing.
FjordPhantom combines several public tools to create sophisticated malware that places apps into a virtual environment to attack them. This evades advanced detection mechanisms that banking apps usually employ to protect themselves against malware. In addition, the malware includes an open source hooking framework that it uses to perform targeted attacks on specific apps.
FjordPhantom spreads primarily through email, SMS, and messaging apps. A user is prompted to download an app that looks like their bank’s own app. In reality, the downloaded app contains the real bank’s app, but it is run in a virtual environment with additional components that enable attacks on the app. After downloading, the user is subjected to a social engineering attack.
One of the targeted attacks Promon observed prevented the detection of malicious screenreaders and enabled user credential theft. Another attack strategy was to hide the pop-up screen shown by apps that warn users about suspicious activities on their device. This makes it easier for the attackers to perform social engineering attacks.
“FjordPhantom highlights a new trend in malware using virtual environments to attack apps,” said Benjamin Adolphi, head of security research at Promon. “Virtualization is not a new thing. It is actively used by people who want to manipulate apps on their devices, e.g., to cheat in games. However, we have never seen malware using the same techniques to perform attacks on apps without the user knowing about it. Our analysis paved the way for several features to mitigate the attack vectors used by FjordPhantom. This functionality is available in the newest version of Promon SHIELD.”
“FjordPhantom is another example of a current trend in malware design; more attackers are preparing attacks and building new malware based on open-source tools and therefore can develop new attacks in no time,” said Henning Treichl, VP Product Management at Promon. “When we learned about the impact of this new malware, I spent a week in the region to learn more about it and meet with the impacted banks. The security experts I met confirmed our observation: there is an explosion in attacks, and most of the new malware is based on open-source tools, just like FjordPhantom. We anticipate more attacks using this malware because of the ability to drop existing apps into the framework and run the exploit.”
Promon received initial reports of FjordPhantom from i-Sprint, a key partner in Asia, and thanks them for their submission.
The name FjordPhantom was inspired by the intricate nature of Norway’s fjords, similar to how the malware features a complex, multi-layered attack vector. Phantom was chosen due to its illusiveness and ability to evade detection.