Zimperium Highlights Threats From NFC Relay Malware

30 Oct 2025

Recent research by Zimperium zLabs reveals a significant global rise in NFC relay malware exploiting Android's Host Card Emulation (HCE) to steal payment data and execute fraudulent "tap-to-pay" transactions. Initially detected in April 2024, this malware campaign has rapidly expanded to include over 760 malicious applications.

These apps utilize more than 70 command-and-control servers, multiple Telegram bots, and regional impersonations of banks and government entities to spread their influence across countries such as Russia, Poland, Czechia, Slovakia, and Brazil.

NFC Payment Method Abuses

zLabs' investigations have identified several patterns where some apps serve as scanner/tapper tools interfacing with POS terminals, while others discreetly collect EMV card fields and device identities for transmission to attackers through Telegram.

A common strategy among operators is to persuade users to select the malicious app as the default NFC payment method. Once installed, background services manipulate NFC events and transmit crafted Application Protocol Data Units (APDU) to finalize fraudulent payments.

Extensive Cyber Campaign

Over 760 malicious apps have emerged since April 2024.
More than 70 command-and-control servers and numerous distribution channels have been classified.
Several dozen Telegram bots and private channels are utilized for data exfiltration and operational coordination.
About 20 institutions, including central and commercial banks, as well as payment processors across various nations, are being impersonated.

Imitating Legitimate Apps

The attackers leverage Android HCE technology to mimic legitimate payment apps by relaying requests

The attackers leverage Android HCE technology to mimic legitimate payment apps by relaying requests from payment terminals to remote servers, which then return APDU responses designed for fraudulent transactions.

The communication between the apps and command-and-control systems typically includes commands for login, registration, sending APDU commands and responses, card data exchange, and Telegram notifications, facilitating real-time fraud with little user action required.

Response and Mitigation

"Attackers are turning tap-to-pay into a global fraud platform by weaponizing NFC and HCE," explained Nico Chiaraviglio, Chief Scientist at Zimperium.

He adds, "This is no longer a niche experiment; it's a scalable attack chain that targets the payment ecosystem at the device level. On-device detection and runtime protection are essential to stop these campaigns on the mobile device where they operate."

Show full press release

Zimperium zLabs published new findings showing a rapid, global increase in NFC relay malware that abuses Android’s Host Card Emulation (HCE) to harvest payment data and complete fraudulent “tap-to-pay” transactions.

First observed in April 2024 as isolated samples, this campaign family has expanded to more than 760 malicious apps, leveraging 70+ command-and-control servers, dozens of Telegram bots/channels, and localized impersonation of banks and government services across Russia, Poland, Czechia, Slovakia, Brazil and beyond.

Default NFC payment method

zLabs’ monitoring uncovered multiple operational patterns where some apps act as scanner/tapper tools paired with POS endpoints, others quietly collect EMV fields and device identifiers and forward them to attackers via Telegram.

Operators commonly prompt users to set the malicious app as the default NFC payment method while background services handle NFC events and relay crafted APDU responses to complete fraudulent payments.

Key findings

760+ malicious apps observed since April 2024.
70+ C2 servers and numerous distribution channels identified.
Dozens of Telegram bots/private channels used for exfiltration and coordination.
~20 institutions impersonated, including central banks, major retail banks and payment processors across multiple countries.
Malware families reuse the same codebase while repackaging under different brand names and regional lures.

Impersonate legitimate payment apps

Attackers exploit Android HCE to impersonate legitimate payment apps and relay payment terminal requests to remote servers that return crafted APDU responses.

Commands exchanged between apps and C2 include login/register, apdu_command/apdu_response, card_info and telegram_notification, enabling real-time fraud with minimal user interaction.

On-device detection and runtime protection

“Attackers are turning tap-to-pay into a global fraud platform by weaponizing NFC and HCE,” said Nico Chiaraviglio, Chief Scientist at Zimperium.

He adds, “This is no longer a niche experiment; it's a scalable attack chain that targets the payment ecosystem at the device level. On-device detection and runtime protection are essential to stop these campaigns on the mobile device where they operate.”

Download PDF version Download PDF version

Add as a preferred source on Google