S1208 FjordPhantom
FjordPhantom is a malicious Android application first discovered in September 2024 with targets in Southeast Asia, specifically Indonesia, Thailand, and Vietnam. FjordPhantom was distributed through email and messaging applications. Once installed, the application launches a virtualization solution to steal important information, such as bank accounts, and to manipulate the user interface. The malicious activity from the virtualization solution runs alongside legitimate banking applications.1
| Item | Value |
|---|---|
| ID | S1208 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 12 March 2025 |
| Last Modified | 12 March 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1617 | Hooking | FjordPhantom has used the hooking framework in a variety of ways, including returning false information to detection mechanisms, pretending that GooglePlayServices are unavailable, and manipulating UI functionality.1 |
| mobile | T1655 | Masquerading | FjordPhantom has masqueraded as legitimate banking applications.1 |
| mobile | T1660 | Phishing | FjordPhantom has been distributed via email, SMS and other messaging applications.1 |
| mobile | T1631 | Process Injection | FjordPhantom has injected malicious code and a hooking framework through a virtualization solution, i.e. Virtualization Solution, into the process of the hosted application.1 |
| mobile | T1670 | Virtualization Solution | FjordPhantom uses a virtualization solution to steal credentials.1 |