IBM Trusteer Labs has uncovered a sophisticated Antidot malware campaign, dubbed PhantomCall, that targets users of major financial institutions across the globe. First observed in April, PhantomCall’s campaign has demonstrated aggressive distribution patterns, with widespread attacks spanning Europe, North America, the Middle East and Asia. In Southern Europe, the campaign has primarily focused on Spain and Italy, with additional activity observed in France. In North America, targets include users of well-known financial organizations in both the United States and Canada. The Middle East has seen a concentrated wave of attacks, particularly in the United Arab Emirates, while in Asia, India has emerged as a notable target. Among all affected regions, Spain and the UAE stand out as the top two most targeted countries. The UAE experienced a surge in attacks during late June and throughout July, while Spain has faced consistently high attack volumes, with a marked increase beginning in mid-August.
The investigation revealed that the campaign uses fake Chrome apps to deceive victims into installing the malicious application. These apps act as droppers, allowing the malware to bypass Android’s accessibility service restrictions that were introduced in version 13, which limit installations from sources outside Google Play.
PhantomCall also enables attackers to initiate fraudulent activity by silently sending USSD codes to redirect calls, while abusing Android’s CallScreeningService to block legitimate incoming calls, effectively isolating victims and enabling impersonation. These capabilities play a critical role in orchestrating high-impact financial fraud by cutting off victims from real communication channels and enabling attackers to act on their behalf without raising suspicion.