NFC Relay Android Malware

    Tuesday, September 30, 2025 In: Threat Research Print

    Date: 09/30/2025

    Severity: Medium

    Summary

    PhantomCard is an Android malware used in NFC relay attacks (ghost tapping) to steal payment card data and commit fraud at ATMs and POS terminals. It's spread via Telegram and possibly the Google Play Store, and is linked to Chinese-speaking cybercriminals targeting financial and retail sectors.

    Indicators of Compromise (IOC) List 

    URLs/Domains :

    https://nfc.nfu829.com/app/nfu.apk

    IP Address :

    43.157.171.245

    154.90.60.99

    154.205.156.112

    Hash : 

    df01a50867227fae6fa652d4cbc99a39f695ee5932574ea5c8e669f4882b56a3

    337bbb68d29a7d7763f02b4e7b753ab1de142d8dac0d47ff00a5bc41a2ad3245

    ae42632969be3247a465361395b04fec80b14622b94d3269fa02c6e062335a79

    258f044046b11803f85bf8d8095897bcd2775fb6152877a2f5054f625d019386

    189705223aa714897ffa8c61ac1d2dd37b5428502c45dcdd94b69e13e6a53d97

    48e435559476771b06ddfbe0a7fb00e34472cf736a81c9e42aac0a7f04804105

    9807c45356e82e876a02fc0157d0a4253c6967e34ce38ea62f9702b98893b990

    2a54b80e464c2000ae4c6c0e5bb6fbd205fb850d77ebbcb533c5a6c753606a37

    642c2f73fff0e453c9e6ae4de976a7821c512cb6dc5ed0c4aaf5e4dbf2596edb

    d567a41f802a7b7c498c78aadd4dde07662cb97527a751ed698026aa9c2ef6d7

    2d4d60254c4eb979eda144832020170338b0c18159bc597e5699709b7209e188

    4f3edcc4df7bc6b5b96d2a681602f35e1e1b8bbb103e21752ad94ddda28a1dc1

    f6ac2ac7cb521c38a334e0696db86a370f8be52ae563080c27982197719b74cf

    61a6aa241c354cc5b696146b5a2f08794c0b8865f3073675e22e0fa0f8fe5918

    30c8a8f570485b451e685acfb8d89df6bf7f01912f5d6a4c4ee7f48b7b7880f9

    daa45607401f00113a47565cb36ead5f6232a1c79d52641c4189c74c828fef4d

    1e760aa3505fd6539f4938da919fb2b6dc7aee014a83632d1ecb5425b01e55fc

    0fb7385e5880da21398918d0f85cf2515ec097e6be271d430f038ada1763fa9a

    21c66fe505f2bcd7b29d413189920b3a85df48da0ecf4eb6962d6a504a7fdcd8

    7fca16e7aa358c9d57054564c51a86031ebdcbedfa24ae42c26a8de3fdf24d44

    5769ae3cc93943dda4d1743f2febf6cec1282a0a6289da68cb55bb4724ec9332

    5cecb80222d418b9adb93b5000aca54db28cd276d1d4d6f4f3bfa0e0167c5f5e

    a78ab0c38fc97406727e48f0eb5a803b1edb9da4a39e613f013b3c5b4736262f

    5e730e5f05acf7653291f3a06924553da36b16c6205f850a9388edfedad264ed

    cb10953f39723427d697d06550fae2a330d7fff8fc42e034821e4a4c55f5a667

    df01a50867227fae6fa652d4cbc99a39f695ee5932574ea5c8e669f4882b56a3

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://nfc.nfu829.com/app/nfu.apk" or siteurl like "https://nfc.nfu829.com/app/nfu.apk" or url like "https://nfc.nfu829.com/app/nfu.apk"

    Detection Query 2 :

    dstipaddress IN ("43.157.171.245","154.90.60.99","154.205.156.112") or srcipaddress IN ("43.157.171.245","154.90.60.99","154.205.156.112")

    Detection Query 3 :

    sha256hash IN ("5769ae3cc93943dda4d1743f2febf6cec1282a0a6289da68cb55bb4724ec9332","d567a41f802a7b7c498c78aadd4dde07662cb97527a751ed698026aa9c2ef6d7","5e730e5f05acf7653291f3a06924553da36b16c6205f850a9388edfedad264ed","5cecb80222d418b9adb93b5000aca54db28cd276d1d4d6f4f3bfa0e0167c5f5e","48e435559476771b06ddfbe0a7fb00e34472cf736a81c9e42aac0a7f04804105","9807c45356e82e876a02fc0157d0a4253c6967e34ce38ea62f9702b98893b990","189705223aa714897ffa8c61ac1d2dd37b5428502c45dcdd94b69e13e6a53d97","2d4d60254c4eb979eda144832020170338b0c18159bc597e5699709b7209e188","258f044046b11803f85bf8d8095897bcd2775fb6152877a2f5054f625d019386","337bbb68d29a7d7763f02b4e7b753ab1de142d8dac0d47ff00a5bc41a2ad3245","daa45607401f00113a47565cb36ead5f6232a1c79d52641c4189c74c828fef4d","30c8a8f570485b451e685acfb8d89df6bf7f01912f5d6a4c4ee7f48b7b7880f9","4f3edcc4df7bc6b5b96d2a681602f35e1e1b8bbb103e21752ad94ddda28a1dc1","1e760aa3505fd6539f4938da919fb2b6dc7aee014a83632d1ecb5425b01e55fc","0fb7385e5880da21398918d0f85cf2515ec097e6be271d430f038ada1763fa9a","ae42632969be3247a465361395b04fec80b14622b94d3269fa02c6e062335a79","df01a50867227fae6fa652d4cbc99a39f695ee5932574ea5c8e669f4882b56a3","f6ac2ac7cb521c38a334e0696db86a370f8be52ae563080c27982197719b74cf","a78ab0c38fc97406727e48f0eb5a803b1edb9da4a39e613f013b3c5b4736262f","2a54b80e464c2000ae4c6c0e5bb6fbd205fb850d77ebbcb533c5a6c753606a37","642c2f73fff0e453c9e6ae4de976a7821c512cb6dc5ed0c4aaf5e4dbf2596edb","61a6aa241c354cc5b696146b5a2f08794c0b8865f3073675e22e0fa0f8fe5918","21c66fe505f2bcd7b29d413189920b3a85df48da0ecf4eb6962d6a504a7fdcd8","7fca16e7aa358c9d57054564c51a86031ebdcbedfa24ae42c26a8de3fdf24d44","cb10953f39723427d697d06550fae2a330d7fff8fc42e034821e4a4c55f5a667","df01a50867227fae6fa652d4cbc99a39f695ee5932574ea5c8e669f4882b56a3")

    Reference:

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-09-25-IOCs-for-NFC-relay-Android-malware.txt


    Tags

    MalwarePhantomCardNFC relayAndroid MalwareChinaFinancial ServicesCommercial FacilitiesTelegramGhost tapping

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.