Near-Field Communication (NFC) relay malware has grown massively popular in Eastern Europe, with researchers discovering over 760 malicious Android apps using the technique to steal people's payment card information in the past few months.
Contrary to the traditional banking trojans that use overlays to steal banking credentials or remote access tools to perform fraudulent transactions, NFC malware abuses Android's Host Card Emulation (HCE) to emulate or steal contactless credit card and payment data.
They capture EMV fields, respond to APDU commands from a POS terminal with attacker-controlled replies, or forward terminal requests to a remote server, which crafts the proper APDU responses to enable payments at the terminal without the physical cardholder present.
The technique was spotted in the wild for the first time in 2023 in Poland, followed by campaigns in the Czech Republic, and later, more massive attack waves in Russia.
Over time, multiple variants emerged following different practical approaches, including:
Data harvesters that exfiltrate EMV fields to Telegram or other endpoints,
Relay toolkits that forward APDUs to remote paired devices,
"Ghost-tap" payments where HCE responses are manipulated to authorize POS transactions in real time,
and PWAs or fake bank apps that are registered as the default payment handler on Android.
According to mobile security firm Zimperium, a member of Google's 'App Defense Alliance,' the popularity of NFC malware on Android has exploded lately, particularly in Eastern Europe.
... continue reading