What’s FjordPhantom Android Malware: The new banking malware that evades detection with virtualization

200,000+ new banking Trojan installers were identified in 2022, twice the number reported in the previous year. Alarming right? And, that’s just the tip of the iceberg!

Malware, cybersecurity thefts and attacks have become extremely commonplace across industries, leading to monetary, reputational and other losses. Invariably, the banking sector is also one of the common victims to such malware and one such new malware is constantly infecting Southeast Asian countries. Being referred to as FjordPhantom Android malware, it has already spread across Indonesia, Thailand, Vietnam, Singapore, and Malaysia, via emails, SMS, and messaging apps with a one shot target of banking applications. 

This new type of android malware was brought to light by a leading mobile security solutions company, Promon, which highlighted how FjordPhantom, exploits the intersection of app-based malware and social engineering to defraud customers in a covert manner. The company also reflected on how the scale of defrauding is quite extensive with this malware, where it defrauded a customer out of ~$280,000. 

What’s unique about FjordPhantom?

While android malware is a common occurrence, why FjordPhantom made exclusive news and is turning heads, even for experts, is its unique nature. Essentially, it leverages virtualization to attack applications, a tool generally used for reverse engineering. Here’s a quick snapshot of how FjordPhantom works and attacks. 

Spready via emails, SMS and messaging applications, victims are tricked into downloading banking applications which look legitimate and identical to the applications of their banks. What perpetuates the attack is that this application actually runs in a virtual environment and contains malicious code running with additional components, which enables the attack. 

Once the malicious code is in, a series of social engineering attacks and on-device fraud take over. Calls, from attackers, who mask themselves as customer support agents guide customers to run the application. This enables the attackers to either guide victims to perform fraudulent transactions or steal credentials for continued attacks and fraudulent transactions. 

Let’s understand how virtualization comes into the picture. 

Essentially, FjordPhantom embedded a virtualization solution and hooking framework to perpetuate the attacks and malicious activities. For the purposes of FjordPhantom, the virtualization solution hosts different apps, installed into a virtual filesystem. Upon launch, the malware executes a malicious code in the same container as the app that the user intended to download and manifests itself as a part of the trusted framework. As the banking applications runs inside this container, FjordPhantom, easily injects its code to hook key API, enabling it to manipulate transactions, stealing credentials, accessing sensitive information and other fraudulent activities. 

For some applications, the dangers of FjordPhantom go beyond. It prevents the application from alerting the user with any danger warnings or messages, leaving the victims unaware of a fraud perpetrating within their application. 

What are the risks and challenges?

As unique as the way of operation is for FjordPhantom, the risks and challenges are also rather tricky and unusual to deal with. Here are some of the key risks and challenges which make FjordPhantom a novel malware.

Virtualization conveniently breaks the android sandbox. This is a security concept where each android application runs in an isolated sandbox, to prevent different applications from accessing each other’s data and interfering in operations. However, with virtualization, applications run in the same sandbox. 

Second, security check via root detection, a popular security measure to detect and prevent malware fails when it comes to FjordPhantom. Breaking the sandbox under usual circumstances requires root access on a device, something which is not needed when applications are in the same sandbox. Invariably, since there is no need to root the device, FjordPhantom evades the root detection security check. 

Third, FjordPhantom uses the hooking framework and leverages screenreaders to grab sensitive information of victims without their notice. Similarly it hooks into APIs related to GooglePlayServices, making them seem unavailable to evade rooting checks. The hooking framework also extends to logging, which leads to comprehensive monitoring and tracking of user behaviour, giving attackers inroads for more targeted attacks. 

Furthermore, the malware also hooks into the UI functionality of the application under use and takes charge of the safety related dialogue boxes that applications might have in place. Invariably, it automatically closes the safety alerts without the victim’s notice, the malware further perpetuates the attack, without any suspicion from the victim. 

Finally, since the malware doesn’t modify the code of the banking or the host application itself, code tampering detection as a means to detect and evade the threat also becomes a challenge. 

What’s next?

Promon, the trailblazer in identifying this malware, has warned citizens and organizations about the potential of a more sophisticated and wide scope attack by FjordPhantom. According to them, the malware is under active development and is likely to evolve or may have already evolved to target a larger category of applications as well as spreading its geographical base along the way. FjordPhantom’s deep focus on logging user behaviour is one of the key signs of this development, prompting caution at all levels. Here are a few ways to be wary of malware like FjordPhantom.

  • Access applications only from credible sources and authenticated websites or marketplaces
  • Be cautious while clicking on links from unknown references and avoid access links or attachments that you don’t recognize
  • Keep you mobile security up to date with regular updates, install a mobile security application and ensure its updation
  • Be cautious about the permissions you give to an application, avoid offering blanket approval for accessing everything because it’s convenient
  • Avoid giving sensitive information over the phone to anyone unknown, even those posing to be customer service executives

While preventing the spread of malware like FjordPhantom is beyond control, individuals and organizations can definitely spread awareness in their networks about the potential threats and ways to safeguard oneself. As attackers and malware become more sophisticated, awareness and caution can be our biggest weapons for a cyber resilient future.

Editorial Team

Disclaimer: The views expressed in this feature article are of the author. This is not meant to be an advisory to purchase or invest in products, services or solutions of a particular type or, those promoted and sold by a particular company, their legal subsidiary in India or their channel partners. No warranty or any other liability is either expressed or implied.
Reproduction or Copying in part or whole is not permitted unless approved by author.


Please enter your comment!
Please enter your name here

Latest Articles

Sign Up for CXO Digital Pulse Newsletters

Sign Up for CXO Digital Pulse Newsletters to Download the Research Report

Sign Up for CXO Digital Pulse Newsletters to Download the Coffee Table Book

Sign Up for CXO Digital Pulse Newsletters to Download the Vision 2023 Research Report

Download 8 Key Insights for Manufacturing for 2023 Report

Sign Up for CISO Handbook 2023

Download India’s Cybersecurity Outlook 2023 Report

Unlock Exclusive Insights: Access the article