Zimperium zLabs published new findings showing a rapid, global increase in NFC relay malware that abuses Android’s Host Card Emulation (HCE) to harvest payment data and complete fraudulent “tap-to-pay” transactions.
First observed in April 2024 as isolated samples, this campaign family has expanded to more than 760 malicious apps, leveraging 70+ command-and-control servers, dozens of Telegram bots/channels, and localised impersonation of banks and government services across Russia, Poland, Czechia, Slovakia, Brazil and beyond.
Default NFC payment method
zLabs’ monitoring uncovered multiple operational patterns where some apps act as scanner/tapper tools paired with POS endpoints, others quietly collect EMV fields and device identifiers and forward them to attackers via Telegram.
Operators commonly prompt users to set the malicious app as the default NFC payment method while background services handle NFC events and relay crafted APDU responses to complete fraudulent payments.
Key findings
- 760+ malicious apps observed since April 2024.
- 70+ C2 servers and numerous distribution channels identified.
- Dozens of Telegram bots/private channels used for exfiltration and coordination.
- ~20 institutions impersonated, including central banks, major retail banks and payment processors across multiple countries.
- Malware families reuse the same codebase while repackaging under different brand names and regional lures.
Impersonate legitimate payment apps
Attackers exploit Android HCE to impersonate legitimate payment apps and relay payment terminal requests to remote servers that return crafted APDU responses.
Commands exchanged between apps and C2 include login/register, apdu_command/apdu_response, card_info and telegram_notification, enabling real-time fraud with minimal user interaction.
On-device detection and runtime protection
“Attackers are turning tap-to-pay into a global fraud platform by weaponising NFC and HCE,” said Nico Chiaraviglio, Chief Scientist at Zimperium.
He adds, “This is no longer a niche experiment; it's a scalable attack chain that targets the payment ecosystem at the device level. On-device detection and runtime protection are essential to stop these campaigns on the mobile device where they operate.”