Zimperium zLabs has unveiled a significant surge in the use of NFC relay malware, which exploits Android's Host Card Emulation (HCE) to illicitly gather payment data and execute fraudulent "tap-to-pay" transactions. Initially detected in April 2024 as isolated incidents, this malware campaign has rapidly proliferated, now comprising over 760 harmful applications.
These apps utilise upwards of 70 command-and-control (C2) servers and employ numerous Telegram bots and channels, impersonating banks and government entities in countries such as Russia, Poland, Czechia, Slovakia, Brazil, and more.
Operational strategies and techniques
Monitoring by zLabs revealed distinct operational patterns among the malicious applications
Monitoring by zLabs revealed distinct operational patterns among the malicious applications. Some are designed to function as scanner/tapper tools in conjunction with point-of-sale (POS) systems, while others discreetly gather EMV fields and device identifiers, subsequently transmitting them to attackers via Telegram.
A common tactic involves persuading users to designate the harmful app as the default NFC payment method, allowing background processes to handle NFC events and relay tailored Application Protocol Data Unit (APDU) responses, thereby effectuating fraudulent payments.
Significant findings and patterns
Key findings from the investigation indicate the existence of over 760 malicious apps since April 2024, with more than 70 command-and-control servers and numerous distribution channels identified. The use of a multitude of Telegram bots and private channels facilitates data exfiltration and operational coordination.
Approximately 20 institutions, including central and major retail banks along with payment processors from various countries, have been impersonated. These malware families often recycle the same code but repackage under diverse brand names and localised themes.
Exploitation of Android HCE
Cyber attackers are manipulating Android HCE to impersonate legitimate payment applications
Cyber attackers are manipulating Android HCE to impersonate legitimate payment applications, relaying requests from payment terminals to remote servers, which return fabricated APDU responses.
The exchange of commands between the apps and their remote servers includes login/register, apdu_command/apdu_response, card_info, and telegram_notification, facilitating real-time fraudulent activities with minimal user involvement.
Need for enhanced security measures
Nico Chiaraviglio, Chief Scientist at Zimperium, stated, "Attackers are turning tap-to-pay into a global fraud platform by weaponising NFC and HCE."
He adds, "This is no longer a niche experiment; it's a scalable attack chain that targets the payment ecosystem at the device level. On-device detection and runtime protection are essential to stop these campaigns on the mobile device where they operate."
From facial recognition to LiDAR, explore the innovations redefining gaming surveillance
