Hackers Use NFC Relay Malware to Clone Tap-to-Pay Android Transactions

A new investigation from mobile security firm Zimperium has revealed a fast-growing cybersecurity threat targeting Android users through their tap-to-pay systems. The company’s research team, zLabs, has been tracking hundreds of malicious apps that use Android’s Near Field Communication (NFC) and Host Card Emulation (HCE) features to steal payment data, turning infected phones into tools for payment fraud.

Since April 2024, analysts have uncovered more than 760 malicious apps built to intercept card data in real time. Although it started with a few isolated cases, it has now become a global issue, with infections seen in Russia, Poland, the Czech Republic, Slovakia, Brazil, and several other countries.

The findings, published in Zimperium’s report titled “Tap-and-Steal: The Rise of NFC Relay Malware on Mobile Devices,” show that this method of attack is spreading fast as cybercriminals look for new ways to exploit mobile payments.

The malicious apps pretend to be official banking or government applications, copying the look and feel of trusted brands such as Google Pay, VTB Bank, Santander, and the Russian State Services Portal (Gosuslugi).

List of organizations impersonated by the malicious apps (Image via Zimperium)

Once installed, these fake apps prompt users to set them as their default payment method. However, in reality, they activate NFC relay functionality that forwards card data to remote servers controlled by attackers, allowing them to perform fraudulent transactions almost instantly.

According to Zimperium’s blog post shared with Hackread.com, the operation involves more than 70 command-and-control servers and numerous Telegram bots coordinating the scam and resale of financial data.

The malware communicates using structured commands, where one infected device collects payment data and another device uses it to complete transactions at a physical terminal. The entire exchange happens through live relay, letting attackers spoof legitimate NFC payments without physical access to the victim’s card.

Researchers also noted that these apps are carefully disguised. They display authentic-looking interfaces within a simple web view, often showing real logos and text from financial institutions to convince users they are genuine.

Once the device is compromised, the app quietly relays sensitive information such as card numbers, expiration dates, and EMV data through private Telegram channels, where cybercriminals manage stolen credentials and sales.

Unlike traditional banking trojans that depend on overlays or SMS interception, this new generation of malware abuses Android’s Host Card Emulation capability to act like a virtual payment card. It’s a more direct and efficient approach that bypasses security designed for older types of malware aimed at financial data.

Zimperium’s detection systems have already identified and blocked multiple NFC relay malware families through its Mobile Threat Defense (MTD) and zDefend platforms. However, the company’s findings point to the need for stronger protection for NFC permissions and payment privileges.

If you are an Android user, the best protection for now includes downloading apps from the official Google Play Store, avoiding third-party stores, using updated mobile security software, using common sense and staying alert to unknown requests involving payment settings.