Recent research by Zimperium zLabs reveals a significant global rise in NFC relay malware exploiting Android's Host Card Emulation (HCE) to steal payment data and execute fraudulent "tap-to-pay" transactions. Initially detected in April 2024, this malware campaign has rapidly expanded to include over 760 malicious applications.
These apps utilize more than 70 command-and-control servers, multiple Telegram bots, and regional impersonations of banks and government entities to spread their influence across countries such as Russia, Poland, Czechia, Slovakia, and Brazil.
NFC Payment Method Abuses
zLabs' investigations have identified several patterns where some apps serve as scanner/tapper tools interfacing with POS terminals, while others discreetly collect EMV card fields and device identities for transmission to attackers through Telegram.
A common strategy among operators is to persuade users to select the malicious app as the default NFC payment method. Once installed, background services manipulate NFC events and transmit crafted Application Protocol Data Units (APDU) to finalize fraudulent payments.
Extensive Cyber Campaign
- Over 760 malicious apps have emerged since April 2024.
- More than 70 command-and-control servers and numerous distribution channels have been classified.
- Several dozen Telegram bots and private channels are utilized for data exfiltration and operational coordination.
- About 20 institutions, including central and commercial banks, as well as payment processors across various nations, are being impersonated.
Imitating Legitimate Apps
The attackers leverage Android HCE technology to mimic legitimate payment apps by relaying requests
The attackers leverage Android HCE technology to mimic legitimate payment apps by relaying requests from payment terminals to remote servers, which then return APDU responses designed for fraudulent transactions.
The communication between the apps and command-and-control systems typically includes commands for login, registration, sending APDU commands and responses, card data exchange, and Telegram notifications, facilitating real-time fraud with little user action required.
Response and Mitigation
"Attackers are turning tap-to-pay into a global fraud platform by weaponizing NFC and HCE," explained Nico Chiaraviglio, Chief Scientist at Zimperium.
He adds, "This is no longer a niche experiment; it's a scalable attack chain that targets the payment ecosystem at the device level. On-device detection and runtime protection are essential to stop these campaigns on the mobile device where they operate."
From facial recognition to LiDAR, explore the innovations redefining gaming surveillance
