A new wave of NFC relay malware is sweeping across Europe, with cybersecurity researchers uncovering more than 760 malicious Android apps exploiting Near-Field Communication (NFC) systems to steal credit card data. Unlike traditional banking trojans that rely on phishing or overlays, this new generation of malware takes a more sophisticated route—directly hijacking Android’s Host Card Emulation (HCE) feature to emulate contactless cards and authorize payments without the physical cardholder.
According to the mobile security firm Zimperium, a member of Google’s App Defense Alliance, the NFC relay attack trend has skyrocketed in Eastern Europe, with major campaigns emerging in Poland, the Czech Republic, Russia, and Slovakia. Initially seen as isolated cases in 2023, these attacks have rapidly evolved into massive, coordinated operations, supported by over 70 command-and-control (C2) servers and dozens of Telegram channels where stolen data is traded or operations are coordinated.
What makes these attacks particularly dangerous is their ability to simulate real-time credit card communication. By capturing EMV data fields and manipulating Application Protocol Data Unit (APDU) commands, the malware can fool payment terminals into believing a legitimate card is being used. Some variants even forward requests to remote servers, where attackers craft valid APDU responses on the fly—allowing successful payments at point-of-sale (POS) terminals without the cardholder’s knowledge.
Researchers have categorized these threats into several types: data harvesters, which exfiltrate sensitive payment data to Telegram or private servers; relay toolkits, which forward APDU commands to remote devices; and “ghost-tap” malware, capable of authorizing transactions in real time. In addition, progressive web apps (PWAs) and fake banking apps disguise themselves as Google Pay or reputable institutions like Santander, ING, VTB, Tinkoff, and Bradesco, tricking users into granting them sensitive permissions.
Cybersecurity experts warn that these attacks represent a significant shift in Android threat landscapes. The combination of HCE, NFC, and remote C2 infrastructures allows attackers to bypass traditional fraud detection systems and carry out instant, undetectable transactions. Since the malware does not require physical access to the victim’s device, contactless payments—once considered secure—are now under threat.
To protect against NFC malware, users are urged to avoid installing APKs from outside Google Play, use only official banking app links, and scrutinize permissions that request NFC access or foreground services. Regular scanning with Google Play Protect and disabling NFC when not needed can significantly reduce risk.
In conclusion, the rise of NFC relay malware marks a turning point in mobile payment security. With cybercriminals exploiting Android’s legitimate payment features for fraudulent use, it is crucial for users and app developers alike to prioritize proactive defense strategies. As contactless payments continue to dominate, understanding and mitigating NFC-based threats will be essential for safeguarding Europe’s rapidly evolving digital economy.
