{
	"id": "9d1b98de-6d54-42f9-96d3-cca9231a47f5",
	"created_at": "2026-04-06T01:30:18.088998Z",
	"updated_at": "2026-04-10T03:30:33.832447Z",
	"deleted_at": null,
	"sha1_hash": "b9dbe2a89f1d3bf070298fac844e7515b2a90a6d",
	"title": "Promon discovers FjordPhantom, Android banking malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 104472,
	"plain_text": "Promon discovers FjordPhantom, Android banking malware\r\nBy Benjamin Adolphi\r\nPublished: 2025-01-17 · Archived: 2026-04-06 01:08:32 UTC\r\nPromon has discovered a new type of Android malware, which the company has dubbed FjordPhantom, for its\r\nillusiveness and ability to spread covertly. This blog post explores what FjordPhantom is and how it works. \r\nBackground\r\nThrough longtime Promon partner i-Sprint, our Security Research team received reports of a new Android\r\nmalware spreading in Southeast Asia in early September, primarily Indonesia, Thailand, and Vietnam. Promon\r\nalso believes that the malware is active in Singapore and Malaysia. Spreading primarily through messaging\r\nservices, it combines app-based malware with social engineering to defraud banking customers. In discussions\r\nwith banks in the region, Promon has learned that one customer was defrauded out of 10 million Thai Baht\r\n(approximately $280,000) at the time of writing.\r\nPromon has received a sample of that malware which was pulled from an end-customer’s device. This sample\r\ntargets one specific bank but includes code that can also target other banking apps. We did not manage to find\r\nmore samples of that malware, and we were also unable to find any public information on this malware, so we\r\nperformed our own technical analysis. Android banking malware is omnipresent, and new malware families are\r\ndiscovered regularly. We found this malware unique because it uses virtualization to attack applications, which we\r\nhave not seen malware do before. Virtualization has typically been used as a tool in reverse engineering.\r\nHow FjordPhantom spreads \r\nFjordPhantom spreads primarily through email, SMS, and messaging apps. A user is prompted to download an app\r\nthat looks like their bank’s own app. In reality, the downloaded app contains the real bank’s Android app, but it is\r\nrun in a virtual environment with additional components that enable attacks on the app.  \r\nAfter downloading, the user is subjected to a social engineering attack. Typically, this is backed by an attack team\r\nin a call center. They purport to be customer service for the bank, guiding the customer through the steps to run\r\nthe app. The malware enables the attackers to follow the user’s actions, allowing them to either guide the user to\r\nperform a transaction or use the process to steal credentials. They can use these credentials for additional attacks.\r\nHow FjordPhantom uses virtualization\r\nThe malware is put together using different open source/free projects that can be found on Github. Most\r\nimportantly, it embeds a virtualization solution and a hooking framework to perform its attacks. We have chosen\r\nto omit certain technical details and the names of these tools to limit the reproducibility of the attack. \r\nhttps://promon.co/security-news/fjordphantom-android-malware/\r\nPage 1 of 4\n\nVirtualization solutions allow the installation and running of apps in a virtual container. They have become quite\r\npopular on Android in recent years. There are legitimate reasons for using such solutions, and Google accepts\r\nthem because many of these apps can be downloaded from the Google Play Store. A popular reason for using\r\nthese solutions is to be able to install the same app multiple times to log into them with different accounts. This is\r\nsomething that is usually not possible on Android. \r\nWhat exactly a “virtual container” means in this context varies between different virtualization solutions. \r\nIn the case of the solution used by FjordPhantom, the virtualization solution is an app that can host different apps.\r\nThe hosted apps are installed into a virtual filesystem. When a hosted application is launched, the solution creates\r\na new process that loads the application into it and then launches it. From the point of view of the Android system,\r\nthere is only one app (the host). This means that when the hosted apps are launched, they would also see that they\r\nare being run in the context of the host app, which would cause many issues with different kinds of apps because\r\nthey expect to be run in a well-defined environment.\r\nIn addition, as already mentioned, the hosted apps are installed into a virtual filesystem. So, for the hosted apps to\r\nexecute normally, the virtualization solution heavily relies on hooking, modifying different properties of the\r\nAndroid runtime environment, and proxying a lot of what the hosted applications do.\r\nVirtualization breaks the Android sandbox\r\nThe dangerous part about loading apps into virtual containers like this is that it breaks the Android sandbox.\r\nUsually, every app on Android runs isolated in its own sandbox. In the case of virtualization solutions like this,\r\ndifferent apps all run in the same sandbox. This enables them to access each other’s files and memory and debug\r\neach other. This also means that virtualization solutions can be a good choice for attackers. Usually, breaking the\r\nsandbox would require root access on a device. However, this is not required when apps are installed into the same\r\nsandbox. This makes attacks easier because there is no need to root the device, and it also prevents root detection,\r\na popular check for security-critical apps. Because of that, virtualization solutions have become quite popular\r\namong attackers.\r\nUntil now, all the attacks that we have seen involving virtualization solutions would be performed by an Android\r\ndevice user trying to attack an app they have installed. This can be useful to analyze apps with debuggers like gdb\r\nor lldb or hooking frameworks like Frida, or cheating in games using tools like GameGuardian without root\r\naccess. \r\nIn addition to that, virtualization solutions like the one used by the malware can also be used to inject code into an\r\napplication because the virtualization solution first loads its own code (and everything else found in its app) into a\r\nnew process and then loads the code of the hosted application. Traditionally, the most popular code injection\r\nmethod has been repackaging the application with additional code. Therefore, many security-critical apps perform\r\ndetection of repackaging, which makes attacks harder to pull off. However, using virtualization to inject code will\r\nbypass these detections because the original application is not modified.\r\nHow FjordPhantom works\r\nhttps://promon.co/security-news/fjordphantom-android-malware/\r\nPage 2 of 4\n\nFjordPhantom uses the virtualization solution described above. It embeds the APK of a specific banking app that it\r\ntargets, and when it is launched, it installs and launches the embedded app in a virtual container. To the user, it\r\nlooks like the banking app launches without visible traces of the virtualization solution. Here’s what makes\r\nFjordPhantom unique: Compared to previous uses of virtualization attacks we have seen, it is not the device user\r\nthat invokes the virtualization, but the Android malware does so without the user’s knowledge. \r\nHosting the target application in a virtual container enables the malware to perform its attack. As described above,\r\nit has many attack possibilities. In the case of FjordPhantom, virtualization is mainly used to load additional code\r\ninto the process of the hosted application. The code that gets injected is the code of the actual malware itself and a\r\nhooking framework that the malware uses. \r\nFjordPhantom itself is written in a modular way to attack different banking apps. Depending on which banking\r\napp is embedded into the malware, it will perform various attacks on these apps. In the case of our malware\r\nsample, one specific banking app is embedded and targeted directly. But in the malware code, we have seen that it\r\ncan also target seven other banking apps. There are a couple of different attacks that the malware performs on the\r\napps it targets, which are described below.\r\nHow FjordPhantom uses hooking frameworks\r\nFjordPhantom uses the hooking framework it embeds to hook into APIs that apps typically use to determine if\r\nAccessibility services are turned on and which services are currently enabled. This is a standard method that apps\r\nuse to detect malicious Android screenreaders, and by hooking these APIs and returning false information,\r\nscreenreader detection methods can be bypassed. This makes it possible for attackers to use screenreaders to grab\r\nsensitive information from the application’s screen without the application knowing about it.\r\nSimilarly, the Android malware uses the hooking framework it embeds to hook into APIs related to\r\nGooglePlayServices, making it seem like they are not available. The GooglePlayServices are used by SafetyNet,\r\ncommonly used to detect rooting. By pretending GooglePlayServices are unavailable, apps trying to detect root\r\nmight be tricked into skipping the SafetyNet part of their rooting checks.\r\nhttps://promon.co/security-news/fjordphantom-android-malware/\r\nPage 3 of 4\n\nFor some apps, the malware also hooks into UI functionality related to dialog boxes, and if they contain certain\r\ntext, it will close them automatically. We have investigated these dialog boxes in the target apps. They warn the\r\nuser that some potentially malicious activity has been detected on their device. Most of these dialog boxes cannot\r\nbe closed, preventing the user from using the app in a potentially malicious scenario. By preventing the user from\r\nseeing these dialog boxes and letting the user use the app normally, the malware enables further attacks on these\r\napps without raising suspicion.\r\nLastly, we have also seen that the malware is placing a lot of hooks that log different things that the target\r\napplications do without modifying their behavior. This is most likely a debugging functionality left in the malware\r\nto develop attacks on different apps. This indicates that FjordPhantom is under active development and potentially\r\nwill evolve or has evolved to target other apps already.\r\nConclusion\r\nFjordPhantom is a sophisticated Android malware used to commit real-world fraud. We encourage Promon\r\nfinancial services customers in the affected region to upgrade to one of the latest versions of Promon SHIELD™\r\n(version 6.5 or higher). We advise end users to exercise vigilance when downloading apps from untrusted sources\r\nor outside the primary app stores.\r\nSource: https://promon.co/security-news/fjordphantom-android-malware/\r\nhttps://promon.co/security-news/fjordphantom-android-malware/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://promon.co/security-news/fjordphantom-android-malware/"
	],
	"report_names": [
		"fjordphantom-android-malware"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775439018,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b9dbe2a89f1d3bf070298fac844e7515b2a90a6d.pdf",
		"text": "https://archive.orkl.eu/b9dbe2a89f1d3bf070298fac844e7515b2a90a6d.txt",
		"img": "https://archive.orkl.eu/b9dbe2a89f1d3bf070298fac844e7515b2a90a6d.jpg"
	}
}