Cybersecurity researchers have identified a significant rise in NFC relay malware targeting European payment cards through Android devices. Over 760 malicious apps have been discovered in recent months using this technique to steal financial information.

Unlike traditional banking trojans, which rely on overlays or remote access tools to capture credentials, NFC malware exploits Android’s Host Card Emulation (HCE) technology. This allows attackers to emulate contactless credit cards and intercept payments without the physical presence of the card.

The malware can:

• Capture EMV fields and respond to APDU commands from point-of-sale terminals with attacker-controlled replies.
  
• Forward terminal requests to a remote server to generate valid APDU responses for real-time payments.
  
• Manipulate HCE responses to authorize transactions instantly.
  
• Use fake banking or Progressive Web Apps as default payment handlers on Android.

The malware first appeared in Poland in 2023, followed by campaigns in the Czech Republic and, more recently, in Russia. Multiple variants have emerged, including:

• Data harvesters that send EMV information to Telegram or other endpoints.
  
• Relay toolkits forward APDU commands to remote paired devices.
  
• Ghost-tap payments authorize POS transactions without the cardholder’s presence.
  
• Fake banking apps registered as default payment handlers.

Zimperium, a member of Google’s App Defense Alliance, has warned that NFC malware on Android is increasing rapidly, particularly in Eastern Europe. The firm noted that the threat is spreading to Russia, Poland, the Czech Republic, Slovakia, and other regions.

Researchers have identified over 70 command-and-control servers and distribution hubs, along with Telegram bots and private channels used to exfiltrate stolen data and coordinate operations. The malicious apps often impersonate Google Pay and banks such as Santander, VTB, Tinkoff, ING, Bradesco, and Promsvyazbank.