Near-Field Communication (NFC) relay malware has become massively popular across Eastern Europe, with security researchers uncovering more than 760 malicious Android apps using this technique to steal users’ payment card details in just the past few months. This is a significant shift from older cybercrime methods. Instead of relying on traditional banking trojans that use screen overlays to phish credentials or remote access tools for fraudulent transactions, NFC malware directly exploits Android’s Host Card Emulation (HCE) capability. HCE allows an Android device to act like a contactless payment card, a feature that the malware now abuses to emulate or steal actual credit card and payment data.
The way this malware operates is highly technical and effective. These malicious apps are designed to intercept and capture specific EMV fields (the data from a chip card) and then interact with a Point-of-Sale (POS) terminal. They either respond to the terminal’s commands (APDU commands) with attacker-controlled replies or, more often, forward the terminal’s requests to a remote server. This server then crafts the proper, fraudulent APDU responses, effectively enabling a payment transaction at the POS terminal without the physical cardholder ever being present.
This technique was first observed in the wild in Poland in 2023, quickly followed by targeted campaigns in the Czech Republic. The threat has since escalated dramatically, leading to more massive attack waves across regions like Russia. Over time, multiple variants of this NFC malware have emerged, each adopting a slightly different approach to maximize theft. These variants include simple data harvesters that exfiltrate card data to endpoints like Telegram, sophisticated relay toolkits that forward payment data to remote paired devices, and “ghost-tap” payments where HCE responses are manipulated to authorize POS transactions in real time. Criminals also use Progressive Web Apps (PWAs) or fake banking apps, registering them as the default payment handler on the victim’s Android device.
According to the mobile security firm Zimperium, a key partner in Google’s App Defense Alliance, the rise of NFC malware on Android has been explosive, especially within Eastern Europe. Zimperium’s research emphasizes the rapid growth, explaining that “What began as just a few isolated samples has now expanded to more than 760 malicious apps observed in the wild—demonstrating that NFC relay abuse is not slowing down but continuing to accelerate.” Campaigns that were previously isolated are now broadening their geographical reach, now encompassing Russia, Poland, the Czech Republic, Slovakia, and other countries.
The scope of the operation is vast. Zimperium has successfully identified over 70 command-and-control (C2) servers and numerous app distribution hubs actively supporting these criminal campaigns. Furthermore, they have pinpointed dozens of Telegram bots and private channels that are used both to exfiltrate the stolen payment data and to coordinate the ongoing malicious operations. The apps used to trick victims and distribute this malware often impersonate legitimate services such as Google Pay or well-known financial institutions, including Santander Bank, VTB Bank, Tinkoff Bank, ING Bank, Bradesco Bank, and Promsvyazbank (PSB).
Reference:
