The malware is believed to be wreaking havoc in Asian countries Indonesia, Thailand, Vietnam, Singapore, and Malaysia. One victim was swindled out of 10 million Thai Baht or around $280,000.
The attack is initiated by sending an email or message to a victim with a prompt to download a legitimate banking app. The catch is that once the app is downloaded, it’s run in a virtual environment to give attackers control over what’s happening. Virtualization provides a private execution environment for running code and helps you do things such as download the same app twice so it can be used by two users sharing the same device.
There’s also a social element to the attack: after an app is downloaded, the cybercriminals call the victim, posing as a customer service representative from the bank to help with running the app. This step can help the attacker trick the victim into performing a transaction or revealing credentials.
By downloading a legitimate app into a virtual filesystem and using hooking, FjordPhantom messes with how an app is normally handled by Android to flag any shady behavior.
Since the app is installed in a virtual container, it breaks the Android sandbox, which is a security feature that isolates an app’s code and data from other apps and the system. This way, if one app is malicious, it cannot manipulate other apps or the core system.
Without sandboxing, apps can access each other files and inject code into each other. It also eliminates the need for root access and prevents root detection.
Promon believes that FjordPhantom will continue to evolve. To protect yourself, make sure you only download apps from trusted sources and avoid giving out sensitive information over the phone, even if the person on the other end is claiming to be from your bank as banks typically never request its customers for such info on a phone call.
