Connect with us

Hi, what are you looking for?


Malware & Threats

Diversifying Defenses: FjordPhantom Malware Shows Importance of a Multi-Pronged Approach

Security teams need to combine the angles of client-side and server-side detection in order to have the best chance of mitigating the risk of advanced mobile malware.

Recently, Promon discovered a new Android banking malware named “FjordPhantom”.  They published both an analysis of the mobile malware and a report assessing a sampling of online banking applications that may be vulnerable to this malware.  Both of these resources provide us with interesting insight and bring to light important security topics that are worth discussing.

The Promon analysis discusses how the malware spreads, noting that “FjordPhantom spreads primarily through email, SMS, and messaging apps. A user is prompted to download an app that looks like their bank’s own app. In reality, the downloaded app contains the real bank’s Android app, but it is run in a virtual environment with additional components that enable attacks on the app.”

Remember that point about being run in a virtual environment – that is an important one that we will soon return to.

The next phase of the attack involves social engineering. The Promon analysis shares that “After downloading, the user is subjected to a social engineering attack. Typically, this is backed by an attack team in a call center. They purport to be customer service for the bank, guiding the customer through the steps to run the app. The malware enables the attackers to follow the user’s actions, allowing them to either guide the user to perform a transaction or use the process to steal credentials. They can use these credentials for additional attacks.”

What we have here are two different types of social engineering. The first facilitates the malware being installed, while the second facilitates the attackers’ objective – namely to commit fraud by performing transactions that steal money from victims’ bank accounts and/or by stealing credentials. In order to understand how this works, we need to go back to the point about being run in a virtual environment.

On Android, there is a security feature that does not allow apps to see information from other apps, with one exception. That exception is when those apps are running in the same virtual environment – something the FjordPhantom malware exploits. So why does Android allow this functionality?

The Promon analysis explains that “Virtualization solutions allow the installation and running of apps in a virtual container. They have become quite popular on Android in recent years. There are legitimate reasons for using such solutions, and Google accepts them because many of these apps can be downloaded from the Google Play Store. A popular reason for using these solutions is to be able to install the same app multiple times to log into them with different accounts. This is something that is usually not possible on Android.”

Given all this, it is worth taking a step back and realizing what is happening here at a higher level. First, by tricking the user into downloading and installing the malicious app, the attackers avoid certain “tells” that would indicate that the app is being installed in an improper manner. Second, by running in a virtual environment, the malicious app can influence, manipulate, and steal data from the legitimate app without the OS forbidding that.  Third, by using out-of-band social engineering for the next phase of the attack, the attackers ensure that the legitimate user and the legitimate device are the ones performing the transactions.  This makes it so that the attackers avoid certain “tells” that would tell the online banking application that there is potential fraud and/or abuse going on.

Advertisement. Scroll to continue reading.

So what does all that mean for us as security professionals? Well, unfortunately for us, it means that we need to combine the angles of client-side and server-side detection in order to have the best chance of mitigating the risk of mobile malware like FjordPhantom and others like it. We need to employ a multi-pronged approach to ensure the greatest chance of defending our businesses. The attackers are constantly innovating and looking for ways around our defenses, and a single point of failure defensively is simply not an option.

Further, Promon’s research and analysis determined that 80% of the 113 top global banking apps they tested were vulnerable to FjordPhantom. Unfortunately, the ability of this malware to evade native client-side Android protections as well as server-side protections is a weak spot for many businesses. Mobile app protection is important for sure. But it is far more powerful when it complements/augments existing application protections and defenses to round out the overall security picture.

As with many topics in security, defense-in-depth improves our ability to mitigate the risk that mobile malware presents to our enterprises. While it may be tempting to consider one angle or one approach when looking to mitigate a given risk, looking at multiple angles often produces better value for the security team and the enterprise. One thing that is worth noting, though, is that threats like FjordPhantom will likely become a regular part of the threat landscape.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently Global Solutions Architect - Security at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.