S1208: FjordPhantom
FjordPhantom is a malicious Android application first discovered in September 2024 with targets in Southeast Asia, specifically Indonesia, Thailand, and Vietnam. FjordPhantom was distributed through email and messaging applications. Once installed, the application launches a virtualization solution to steal important information, such as bank accounts, and to manipulate the user interface. The malicious activity from the virtualization solution runs alongside legitimate banking applications.[1]
Analyst context for executives and security teams
FjordPhantom matters because it shows how a malicious Android app can turn mobile banking use into an identity and fraud risk: it was reported as being delivered through email and messaging applications, then used a virtualization solution alongside legitimate banking apps to steal sensitive information and manipulate the user interface. For leaders, the practical issue is not only malware on a phone; it is whether mobile device policy, user reporting, app installation controls, banking/fraud workflows, and SOC visibility can recognize suspicious Android app behavior before account compromise or customer-impacting fraud decisions occur.
Executive priority
Prioritize this as a mobile identity, fraud, and operational resilience concern for Android users in relevant business populations, especially where employees handle banking, payments, customer finance operations, or privileged access from mobile devices. Executives should ask whether the organization has enforceable controls against untrusted Android application installation, user education for email and messaging delivery, incident playbooks for suspected mobile banking malware, and evidence for auditors that mobile risk is governed rather than treated as unmanaged personal-device risk.
Technical view
FjordPhantom is an Android malware entry with no MITRE-provided detection text and no specified tactics, so defensive validation should be driven by the supplied behavior and relationships: phishing delivery, masquerading, hooking, process injection, and use of an Android virtualization solution. SOC and IR teams should validate whether mobile telemetry can show suspicious app installation sources, app identity or metadata inconsistencies, virtualization-related behavior, attempts to run alongside or interact with banking applications, and abnormal process or API manipulation indicators where mobile EDR, MDM, application protection, or device logs support that level of visibility.
Likely telemetry
- Android application inventory, package metadata, install time, installer/source, signing information, and permission requests
- MDM/UEM compliance data for sideloading, unknown-source installation settings, device integrity, and policy violations
- Mobile threat defense or EDR alerts for masquerading, hooking frameworks, process injection-like behavior, virtualization/container activity, or suspicious app interactions
- Email and messaging security telemetry showing delivery of links or attachments associated with Android app installation attempts
- User-reported phishing messages, suspicious app prompts, banking-app overlay or interface manipulation reports, and help desk tickets
Detection direction
- Because ATT&CK provides no official detection guidance for FjordPhantom, first confirm what Android telemetry is actually collected and whether personal/BYOD devices are in scope.
- Tune mobile detections around suspicious Android app installation paths, especially delivery originating from email or messaging workflows, without assuming every non-store app is malicious in environments where sideloading is legitimate.
- Correlate application metadata anomalies and user-facing impersonation indicators with the related Masquerading technique rather than relying only on app name or icon reputation.
- Look for security-tool or app-protection alerts associated with hooking, process injection, or virtualization behavior; these signals may be high value but environment-dependent and may require mobile security tooling beyond standard MDM.
- Investigate reports of banking app interface manipulation or unexpected prompts as potential security events, not just usability issues, when paired with recent Android app installation.
Mitigation priorities
- Restrict or monitor installation of Android applications from untrusted sources where business policy allows, and require managed-device compliance for users with sensitive finance, identity, or privileged workflows.
- Strengthen phishing controls and user reporting for email and messaging-delivered mobile app lures, including clear escalation paths for suspicious APK links or installation prompts.
- Use MDM/UEM and mobile threat defense capabilities to enforce device integrity, detect risky apps, and quarantine or revoke access from noncompliant Android devices.
- Separate high-risk financial or administrative workflows from unmanaged mobile devices when feasible, and require step-up verification or out-of-band review for sensitive transactions.
- Prepare an IR playbook for suspected mobile malware that covers device isolation, app inventory capture, credential reset decisions, fraud monitoring, and preservation of available mobile telemetry.
Analyst notes and limits
The relationship context is important: FjordPhantom is linked to Phishing, Masquerading, Hooking, Process Injection, and Virtualization Solution techniques. That combination suggests detection should not be limited to a single malware signature; it should test the organization’s ability to connect delivery, deceptive app presentation, and runtime manipulation behavior on Android. The official object does not list aliases, labels, or tactics, so classification should remain conservative.
This take is based only on the supplied ATT&CK fields, external references, and relationships. MITRE provides no official detection text for this object, and the supplied data does not establish current activity, attribution, victim exposure, or guaranteed detection methods. Local device ownership model, MDM coverage, mobile security tooling, app installation policy, and fraud telemetry will determine practical defensive coverage.
FjordPhantom
FjordPhantom is a malicious Android application first discovered in September 2024 with targets in Southeast Asia, specifically Indonesia, Thailand, and Vietnam. FjordPhantom was distributed through email and messaging applications. Once installed, the application launches a virtualization solution to steal important information, such as bank accounts, and to manipulate the user interface. The malicious activity from the virtualization solution runs alongside legitimate banking applications.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1670 | Virtualization Solution | FjordPhantom uses a virtualization solution to steal credentials.CitationPromon FjordPhantom Oct2024 |
| Mobile | T1631 | Process Injection | FjordPhantom has injected malicious code and a hooking framework through a virtualization solution, i.e. Virtualization Solution, into the process of the hosted application.CitationPromon FjordPhantom Oct2024 |
| Mobile | T1655 | Masquerading | FjordPhantom has masqueraded as legitimate banking applications.CitationPromon FjordPhantom Oct2024 |
| Mobile | T1660 | Phishing | FjordPhantom has been distributed via email, SMS and other messaging applications.CitationPromon FjordPhantom Oct2024 |
| Mobile | T1617 | Hooking | FjordPhantom has used the hooking framework in a variety of ways, including returning false information to detection mechanisms, pretending that GooglePlayServices are unavailable, and manipulating UI functionality.CitationPromon FjordPhantom Oct2024 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | eeed88d0a933… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Promon FjordPhantom Oct2024
Promon Security Research Team. (2024, October 1). Retrieved February 19, 2025.
Open source URL -
[2]
mitre-attack S1208Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.