Zimperium reveals surge in NFC relay malware

30 Oct 2025

Zimperium zLabs has unveiled a significant surge in the use of NFC relay malware, which exploits Android's Host Card Emulation (HCE) to illicitly gather payment data and execute fraudulent "tap-to-pay" transactions. Initially detected in April 2024 as isolated incidents, this malware campaign has rapidly proliferated, now comprising over 760 harmful applications.

These apps utilise upwards of 70 command-and-control (C2) servers and employ numerous Telegram bots and channels, impersonating banks and government entities in countries such as Russia, Poland, Czechia, Slovakia, Brazil, and more.

Operational strategies and techniques

Monitoring by zLabs revealed distinct operational patterns among the malicious applications

Monitoring by zLabs revealed distinct operational patterns among the malicious applications. Some are designed to function as scanner/tapper tools in conjunction with point-of-sale (POS) systems, while others discreetly gather EMV fields and device identifiers, subsequently transmitting them to attackers via Telegram.

A common tactic involves persuading users to designate the harmful app as the default NFC payment method, allowing background processes to handle NFC events and relay tailored Application Protocol Data Unit (APDU) responses, thereby effectuating fraudulent payments.

Significant findings and patterns

Key findings from the investigation indicate the existence of over 760 malicious apps since April 2024, with more than 70 command-and-control servers and numerous distribution channels identified. The use of a multitude of Telegram bots and private channels facilitates data exfiltration and operational coordination.

Approximately 20 institutions, including central and major retail banks along with payment processors from various countries, have been impersonated. These malware families often recycle the same code but repackage under diverse brand names and localised themes.

Exploitation of Android HCE

Cyber attackers are manipulating Android HCE to impersonate legitimate payment applications

Cyber attackers are manipulating Android HCE to impersonate legitimate payment applications, relaying requests from payment terminals to remote servers, which return fabricated APDU responses.

The exchange of commands between the apps and their remote servers includes login/register, apdu_command/apdu_response, card_info, and telegram_notification, facilitating real-time fraudulent activities with minimal user involvement.

Need for enhanced security measures

Nico Chiaraviglio, Chief Scientist at Zimperium, stated, "Attackers are turning tap-to-pay into a global fraud platform by weaponising NFC and HCE."

He adds, "This is no longer a niche experiment; it's a scalable attack chain that targets the payment ecosystem at the device level. On-device detection and runtime protection are essential to stop these campaigns on the mobile device where they operate."

Show full press release

Zimperium zLabs published new findings showing a rapid, global increase in NFC relay malware that abuses Android’s Host Card Emulation (HCE) to harvest payment data and complete fraudulent “tap-to-pay” transactions.

First observed in April 2024 as isolated samples, this campaign family has expanded to more than 760 malicious apps, leveraging 70+ command-and-control servers, dozens of Telegram bots/channels, and localised impersonation of banks and government services across Russia, Poland, Czechia, Slovakia, Brazil and beyond.

Default NFC payment method

zLabs’ monitoring uncovered multiple operational patterns where some apps act as scanner/tapper tools paired with POS endpoints, others quietly collect EMV fields and device identifiers and forward them to attackers via Telegram.

Operators commonly prompt users to set the malicious app as the default NFC payment method while background services handle NFC events and relay crafted APDU responses to complete fraudulent payments.

Key findings

760+ malicious apps observed since April 2024.
70+ C2 servers and numerous distribution channels identified.
Dozens of Telegram bots/private channels used for exfiltration and coordination.
~20 institutions impersonated, including central banks, major retail banks and payment processors across multiple countries.
Malware families reuse the same codebase while repackaging under different brand names and regional lures.

Impersonate legitimate payment apps

Attackers exploit Android HCE to impersonate legitimate payment apps and relay payment terminal requests to remote servers that return crafted APDU responses.

Commands exchanged between apps and C2 include login/register, apdu_command/apdu_response, card_info and telegram_notification, enabling real-time fraud with minimal user interaction.

On-device detection and runtime protection

“Attackers are turning tap-to-pay into a global fraud platform by weaponising NFC and HCE,” said Nico Chiaraviglio, Chief Scientist at Zimperium.

He adds, “This is no longer a niche experiment; it's a scalable attack chain that targets the payment ecosystem at the device level. On-device detection and runtime protection are essential to stop these campaigns on the mobile device where they operate.”

Download PDF version Download PDF version

Add as a preferred source on Google