Fjord Phantom Malware Process and Execution

Analysis in Mobile Banking Application

Andi Muh. Aizar Farhan Vincent Oktavianus Satu Bima Metasakti
School of Information System School of Information System School of Information System
Bina Nusantara University Bina Nusantara University Bina Nusantara University
Jakarta, Indonesia Jakarta, Indonesia Jakarta, Indonesia
[email protected] [email protected] [email protected]

Drajad Wiryawan
School of Information System
Bina Nusantara University
Jakarta, Indonesia
[email protected]

Abstract—Technological development and acceleration Along with very rapid technological developments,
cannot be avoided in the digital era. Technology is used in conventional banking services are starting to be abandoned,
various transactions to support existing productivity. But and customers or users are switching to digital services. By
behind it all, some vulnerabilities and risks always arise without using digital services, transactions can be carried out
users realizing it. One of them is FjordPhantom. Fjordphantom
anywhere and at any time according to the needs of users or
is the name of malware with different characteristics from most
malware. This malware is a combination of malware attacks on customers, thereby increasing the economy. However, this
various banking service applications. The process carried out by can also be a threat and problem because banking services
the creator of this malware is to embed the software into the have been digitized, opening up opportunities for
virtualization server where the official banking service cybercriminals to commit crimes. Moreover, the techniques
application is located. The impact is extraordinary and causes used to commit crimes are very diverse, ranging from fraud
the users or customers served to lose quite a lot of material. This phishing to malware to commit the crime. Therefore, using
research was conducted to provide an overview of this malware digital banking services makes the transaction process more
in the real world. The author tries to study this by analyzing accessible and increases the time risk[4].
various information obtained from journals and papers related
According to Kaspersky Security Network, during Q2
to the process and execution carried out by the malware on
existing banking service applications. The research method used 2023, 5,704,599 Android malware were blocked. Of the total
is qualitative, with a research model, namely, a systematic malware that has been blocked, 30.8% is unwanted software.
literature review. Based on the analysis results and conclusions The malware also attacks Android users mobile banking, as
obtained, 22 papers discussed this malware. it was discovered in an online store embedded with
In contrast, until now, most existing banking service JavaScript code to steal details from users' bank cards.
technology application users have still not been aware of this Android devices have developed over time, increasing
malware. The author's hope in writing about the process and vulnerabilities in Android applications. It can happen because
execution carried out by this malware is to provide an accurate it is open source, and this statement is supported by the Quick
picture that behind the technology used and used as a reference
Heal Quarterly Threat Report Q1, which states that Android
by its users, it is necessary always to be aware of it and make
important notes in its use. And in the future, other malware that malware was developed 304 times between 2011 and 2014.
is more sophisticated in technology may emerge. So, it can be concluded that Android is more vulnerable to
Keywords— Malware, FjordPhantom, Mobile Banking, malware attacks.
Virtual Machine, Android OS
II. LITERATURE REVIEW
I. INTRODUCTION
A. Virtualization
In today's highly developed digital era, using digital
Virtualization in computer technology creates a new
devices in everyday life is inevitable. Author often encounter virtual environment that is not connected to a device's
digital devices such as computers, laptops, smartphones, and primary environment[5]. The virtualization technique also
tablets, both in banking and non-banking, so their use is
means separating the computer environment from its physical
beneficial and helps us in our activities. However, technology
infrastructure and then dividing it into several virtual
is also often used to carry out criminal activities in cyberspace,
machines. It can run several tasks simultaneously on one
usually called cybercrime[1].
device[6]. Virtualization can be a double-edged sword
There are many types of cybercrime, one of which is because it can hide malware and, conversely, detect
often called hacking, where this activity infiltrates or breaks dangerous things or malware[7].
into digital devices used by users so that all data and networks
In terms of malware detection, several tools can be used,
owned can be publicly revealed [2]. It is due to the existence
one of which is Red Pill, but there is no 100% guarantee that
of tools in the form of software designed to damage the
this VM detection method will successfully detect malware
computer system used, which is called malware [3]. Although
[8]. The process of detecting malware attacks using a VM
these two things are different, malware is often used in the will be more difficult because there is no direct access to the
hacking process to make it easier to steal data or commit other physical memory of the VM[9], [10], [11].
crimes.

XXX-X-XXXX-XXXX-X/XX/$XX.00 ©20XX IEEE

 Meanwhile, this technique can also threaten computer market with 84.1% of the existing market share[15]. The
users in terms of hiding malware. One type of malware that factors that cause Android to dominate are as follows:
uses VMs is Virtual Machine Based Rookits (VMBR). This a. Android has a superior security platform compared to
type of malware is hazardous because it operates in a virtual its competitors. Android combines features from the
environment, so it is tough for the device's security system to operating system, such as Unix User, Efficient shared
detect it [10]. memory, preemptive multitasking identifiers (UID),
and file permissions using the JAVA programming
B. Malware language and libraries from its class. Even though
Malware is a combination of the words malicious and Android itself is an application written in the JAVA
software, so malware is used when unwanted software aims programming language, Android uses its Virtual
to harm or make system functions not work[12]. Malware can Machine rather than the JAVA standard.
be divided based on the characteristics of replication, b. Android is used in various smartphone brands because
propagation, self-execution, and damage to computer the Android system itself can be easily changed
systems, where damage can impact confidential information, according to the needs of smartphone manufacturers.
integrity, and service[12]. There are several types of malware, Things that can be changed are not only the Android
such as: software itself, but the hardware can also be changed.
In updating the version of Android, smartphone
a. Trojans manufacturers can be directly involved in the
Trojans are malware applications that appear non- development process so that Android itself can be
suspicious but steal confidential user information better known and used by other manufacturers[16].
without the user's knowledge[13].
b. Backdoors E. FjordPhantom
Backdoors are software used to spread malware and Android malware, such as FjordPhantom, attacks the
prevent the malware from being detected by antivirus banking sector, explicitly attacking banking applications to
[13]. steal customer data. According to the Promon, this malware
c. Worms is spread via SMS, email, and other messaging
Worms are malware that copies the desired applications[17]. In its distribution, this malware uses
information and then distributes it over the network virtualization and then combines it with Android-based
[13]. malware.
d. SpyWare This malware was created using open-source sources and
Spyware is a non-suspicious malware application that can be found on the GitHub platform. It uses virtualization
monitors users' confidential information, such as because it allows application programs to run in virtual
messages, contacts, bank authentication numbers, and containers[17]. Another purpose of using virtual containers is
user location. This information is immediately sent to to prevent malware from being detected by the device's
the attackers who created the application[13]. security system without the user's knowledge[18].
Not only that, this malware also uses a hooking
C. Cybercrime framework to carry out its attacks on banking
Terms such as cybercrime, computer crime, cloud crime, applications[17]. Fake banking applications are created to
and computer misuse are things that refer to all criminal accommodate genuine banking applications in a virtual
activities such as fraud, theft, extortion, forgery, and container, which then uses a hooking framework to hook the
embezzlement related to the internet or computers, especially API from the application and retrieve user data used to
to access, transmit, or manipulate data illegally[14]. manipulate transactions[18], [19].
Cybercrime evolves from faulty applications or misuse of
internet services. The concept of cybercrime is historical.
Cybercrime is a new trend that is gradually growing along
with the penetration of the internet into every sector of society,
and no one can predict its future[14]. In general, cybercrime
can be divided into two types of categories:
a. Crimes that directly affect computer networks and
devices. Examples are malicious code, computer
viruses, and malware[14].
b. Computer networks or devices facilitate crimes
committed. Examples include cyber stalking, fraud
and identity theft, phishing scams, and information
warfare[14].
D. Android
Android is a platform created by a company called
Android Incorporation. Google has acquired Android and
launched the Android Open Source Project (AOSP). Android, Fig. 1. FjordPhantom Illustration (adapted from [17])
a reasonably young platform, underwent a speedy
development process, so in 2016, Android dominated the
F. Mobile Banking C. Data Sources
Mobile Banking is a breakthrough in the banking world In this research, the author used the Publish or Perish tool
where technology has developed rapidly in this era. Along with Scopus and Google Scholar reference sources to narrow
with the large number of smartphone users, the demand for the search, apart from that the author also used the Google
mobile banking is increasing. It forces banks, microfinance search engine to search for other references that were not
institutions, software companies, and service providers to found in the publication. Table 1 shows that 22 publications
provide services that cover clients' needs. Mobile banking is were selected by the author, with details of 16 publications
believed to significantly impact the market because it makes coming from journals, 2 publications coming from
all activities easier for users. According to Juniper Research, conferences, and 4 websites.
in 2017, more than 1 billion people used mobile banking,
TABLE I. Journal, Article, Paper, Webpage Collected
which was 15% of the total global mobile subscription
base[20]. Year Journal Conference Webpage Total (%)
2009 [7] - - 1 Publication
III. METHOD (4.54%)
This section will discuss the methods and data used by the 2012 [9] - - 1 Publication
author in this research. (4.54%)
2013 - [10],[11] - 2 Publication
A. Research Method (9.09%)
This research uses the Systematic Literature Review 2014 [2] - - 1 Publication
(SLR) method, which allows the author to collect and (4.54%)
compile information from various sources. The SLR method 2015 [16],[20] - - 2 Publication
(9.09%)
can provide a detailed and comprehensive understanding of
2016 [12] - - 1 Publication
the topics author present. It can also be a reference and better (4.54%)
study material for further research in this field or topic[21]. 2017 [3] - - 1 Publication
(4.54%)
B. Research Step
2018 [21] - - 1 Publication
In this research, the author uses literature studies from (4.54%)
journals, articles, papers, and webpage sourced from internet. 2019 [22] - - 1 Publication
As for journals, articles, and papers specifically sourced from (4.54%)
Scopus and Google Scholar. The author also used Publish or 2020 [1],[8] - - 2 Publication
Perish to facilitate the search process. To refine the research (9.09%)
scope, specific keywords were used to facilitate more 2021 - - [6] 1 Publication
targeted searches. The following outlines the stages (4.54%)
of the research: 2022 [14], [15] - - 2 Publication
(9.09%)
2023 [4],[13], - - 2 Publication
(9.09%)
2024 [5] - [17],[18], 4 Publication
[19] (18.18%)
Total 15 2 4 22
Publication Publication Publication Publication
(72.72%) (9.09%) (18.18%) (100%)

IV. RESULT AND DISCUSSION

After analyzing some of the information obtained, author
found that the FjordPhantom malware uses virtualization
techniques and messaging platforms in its distribution, such as
SMS, email, and others[17]. Hooking frameworks allow the
FjordPhantom malware to take over the API function of the
target application so that it can monitor and manipulate
incoming data or information without the knowledge of the
user or system[22]. With this method, FjordPhantom
successfully bypasses the device's security system and
becomes undetectable.
In the attack process, the FjordPhantom malware hosts the
targeted banking application in a virtual container. In this case,
virtualization techniques play a role in containing and running
Fig. 2. Research Step malicious code stored in virtual containers. In the execution
process, when the user runs the application, it will run the
application hosted in the virtual container. The malware will
carry out its attack to steal the victim's bank account
credentials and manipulate their transactions[17].
 V. CONCLUSION Application Using Mobile Security Labware,”
This research was carried out to find out the process and International Journal of Safety and Security
execution of the FjordPhantom malware, in which case Engineering, vol. 13, no. 1, pp. 31–38, Feb. 2023,
author can conclude that the FjordPhantom malware is doi: 10.18280/ijsse.130104.
malware that attacks banking applications and is only found [5] M. KASSI, “RAN Virtualization: How Hard Is It to
on devices with the Android operating system. Android is an Fully Achieve?”.
open-source operating system, making it more vulnerable to [6] M. Kassi and S. Hamouda, “RAN Virtualization:
attack[13]. It makes Android devices easy targets for How Hard Is It to Fully Achieve?”.
cybercriminals to slip or inject malware. FjordPhantom uses [7] Mark Cherp, “Virtual Cloak: Virtualization as
virtualization techniques, which allow the FjordPhantom Malware,” CyberArk.com.
malware to steal data without the knowledge of the user and [8] M. Webster and G. Malcolm, “Detection of
system. The virtualization technique itself is a technique that metamorphic and virtualization-based malware using
can run several applications/tasks using a virtual container at algebraic specification,” Journal in Computer
the same time, so it isn't easy to know/detect. Virology, vol. 5, no. 3, pp. 221–245, 2009, doi:
10.1007/s11416-008-0094-0.
ACKNOWLEDGMENT [9] D. Tank, A. Aggarwal, and N. Chaubey, “A method
The author expresses sincere gratitude to all individuals who for malware detection in virtualization environment,”
contributed to completing the systematic literature review in Communications in Computer and Information
(SLR) on the topic of "Fjord Phantom Malware Execution Science, Springer, 2020, pp. 263–276. doi:
Process and Analysis in Mobile Banking Applications." This 10.1007/978-981-15-6648-6_21.
research would not have been feasible without numerous [10] X. Najoan, “Analisis Aspek Keamanan Dalam
individuals' unwavering commitment, assistance, and Menghadapi Rootkit Berbasis Mesin Virtual
proficiency, to whom the author would like to express (VMBR).”
gratitude. Special thanks are extended to Andi Muh, Aizar [11] A. Huseinovic and S. Ribic, Virtual machine memory
Farhan, Oktavianus Satu Bima Metasakti, and Vincent for forensics. 2013. doi:
their diligent endeavours in gathering and scrutinizing 10.1109/TELFOR.2013.6716386.
literature, which served as the foundation of our research. [12] I. Saeed et al., “A Survey on Malwares and Malware
Furthermore, the authors express their gratitude for the Detection Systems A Survey on Malware and
assistance and encouragement given by Drajad Wiryawan., Malware Detection Systems,” 2013. [Online].
CEH., CHFI as our mentor, whose constructive comments Available:
significantly enhanced the quality of our work. The author https://www.researchgate.net/publication/27223865
acknowledges the financial assistance provided by Bina 6
Nusantara University's BINUS International Research- Basic [13] S. Arshad, M. Ali Shah, A. Khan, and M. Ahmed,
entitled "Artificial Intelligence Security and Vulnerability in “Android Malware Detection & Protection: A
Digital Era Preparation" with contract number: Survey,” 2016. [Online]. Available:
069B/VRRTT/III/2024 and contract date: March 18, 2024. www.ijacsa.thesai.org
We also followed open data rules when possible and [14] K. Phillips, J. C. Davidson, R. R. Farr, C. Burkhardt,
necessary when writing this article. Ultimately, the author S. Caneppele, and M. P. Aiken, “Conceptualizing
expresses gratitude towards the researchers, scholars, and Cybercrime: Definitions, Typologies and
authors whose works served as the foundation for our review. Taxonomies,” Jun. 01, 2022, Multidisciplinary
We appreciate the support from everyone. Digital Publishing Institute (MDPI). doi:
10.3390/forensicsci2020028.
REFERENCES [15] M. Razeed and M. Nowfeek, “A Review of Android
operating system security issues,” 2022. [Online].
[1] M. R. Habibi and I. Liviani, “Kejahatan Teknologi
Available: www.rsisinternational.org
Informasi (Cyber Crime) dan Penanggulangannya
[16] P. Gilski and J. Stefanski, “Android OS: A Review,”
dalam Sistem Hukum Indonesia,” Al-Qanun: Jurnal
2015. [Online]. Available: www.temjournal.com
Pemikiran Dan …, 2020, [Online]. Available:
http://jurnalfsh.uinsby.ac.id/index.php/qanun/article/ [17] Benjamin Adolphi, “Promon discovers new Android
view/1132 banking malware, ‘FjordPhantom,’” Promon.
Accessed: Apr. 25, 2024. [Online]. Available:
[2] I. Sari, “Mengenal Hacking Sebagai Salah Satu
https://promon.co/security-news/fjordphantom-
Kejahatan Di Dunia Maya,” Jurnal Sistem Informasi
android-malware/
Universitas Suryadarma, vol. 10, no. 2, pp. 169–186,
[18] Bill Toulas, “FjordPhantom Android malware uses
2014, doi: 10.35968/jsi.v10i2.1086.
[3] T. A. Cahyanto, V. Wahanggara, and ..., “Analisis virtualization to evade detection,”
dan deteksi malware menggunakan metode malware BleepingComputer. Accessed: Apr. 25, 2024.
[Online]. Available:
analisis dinamis dan malware analisis statis,” …
https://www.bleepingcomputer.com/news/security/fj
Sistem dan Teknologi …, 2017, [Online]. Available:
ordphantom-android-malware-uses-virtualization-
http://jurnal.unmuhjember.ac.id/index.php/JUSTIN
to-evade-detection/
DO/article/view/1037
[4] I. Riadi, Sunardi, and D. Aprilliansyah, “Analysis of [19] Newsroom, “New FjordPhantom Android Malware
Anubis Trojan Attack on Android Banking Targets Banking Apps in Southeast Asia,” The
Hacker News. Accessed: Apr. 29, 2024. [Online].
 Available: https://thehackernews.com/2023/12/new- Systematic Literature Review,” International
fjordphantom-android-malware.html Journal of Business and Management, vol. 13, no. 3,
[20] A. A. Shaikh and H. Karjaluoto, “Mobile banking p. 98, Feb. 2018, doi: 10.5539/ijbm.v13n3p98.
adoption: A literature review,” Telematics and [22] A. Case et al., “HookTracer: A System for
Informatics, vol. 32, no. 1, pp. 129–142, 2015, doi: Automated and Accessible API Hooks Analysis,”
https://doi.org/10.1016/j.tele.2014.05.003. Digit Investig, vol. 29, pp. S104–S112, Jul. 2019, doi:
[21] G. Magnani and A. Zucchella, “Uncertainty in 10.1016/j.diin.2019.04.011.
Entrepreneurship and Management Studies: A