Ethical Hacking News
A surge in NFC relay malware has been detected across Eastern Europe, targeting contactless credit card information through Android devices. To safeguard your device, avoid installing APKs from outside Google Play, install banking apps directly from official links, and regularly scan for suspicious activity.
Malicious Android apps using NFC relay malware have been detected in Eastern Europe, exploiting Host Card Emulation (HCE) to steal contactless credit card and payment data. The origin of this malicious activity dates back to 2023, with campaigns observed in Poland, the Czech Republic, and Russia. Over 760 malicious apps have been detected, employing tactics such as data harvesters, relay toolkits, and "ghost-tap" payments. The menace has expanded significantly due to the ease of implementation and widespread adoption of Android devices in Eastern Europe. Command-and-control servers and Telegram bots have been identified supporting malicious campaigns, with over 70 C2 servers found. Users are advised to install only banking apps from official bank links, be vigilant for suspicious permissions, and use Play Protect regularly.
In recent months, a surge in malicious Android apps utilizing Near-Field Communication (NFC) relay malware has been detected across Eastern Europe. The nefarious actors behind this menace have successfully employed a technique that exploits Android's Host Card Emulation (HCE) to steal contactless credit card and payment data. This development highlights the growing threat of NFC-based financial theft, which poses significant risks to consumers and businesses alike.
The origin of this malicious activity dates back to 2023, when researchers first identified an isolated sample in Poland. However, it wasn't until more recent times that the malicious actors began to mobilize on a larger scale, with campaigns subsequently observed in the Czech Republic and Russia. Over time, multiple variants of NFC malware have emerged, each employing distinct tactics to achieve their nefarious objectives.
Among these tactics are data harvesters, which exfiltrate EMV fields from compromised devices to Telegram or other endpoints; relay toolkits that forward APDUs to remote paired devices; "ghost-tap" payments where HCE responses are manipulated to authorize POS transactions in real time; and PWAs or fake bank apps registered as the default payment handler on Android. The scope of this menace has expanded significantly, with over 760 malicious apps detected in the wild.
The rise of NFC malware can be attributed to its relative ease of implementation and the widespread adoption of Android devices across Eastern Europe. According to Zimperium, a mobile security firm that has identified itself as a member of Google's 'App Defense Alliance,' this menace has accelerated significantly over the past few months, with campaigns previously documented by other vendors now broadening their reach to additional regions.
To elucidate the extent of this threat, Zimperium has revealed the presence of over 70 command-and-control (C2) servers and app distribution hubs supporting these malicious campaigns. Furthermore, dozens of Telegram bots and private channels have been identified as being utilized by the actors involved in exfiltrating stolen data or coordinating operations.
The malicious apps that distribute this NFC malware often impersonate legitimate financial institutions, such as Santander Bank, VTB Bank, Tinkoff Bank, ING Bank, Bradesco Bank, Promsvyazbank (PSB), and several others. This ploy is designed to deceive users into installing the malware-laden app without suspecting a thing.
In light of this new threat, Android users are advised to take immediate action to safeguard their devices against NFC-based financial theft. First and foremost, it is essential that users never install APKs from outside Google Play unless they explicitly trust the publisher. Furthermore, only banking apps should be installed directly from official bank links, with users being vigilant for suspicious permissions such as NFC access or foreground service privileges.
Regular scanning of devices using Play Protect, Android's built-in anti-malware tool, is also highly recommended. Moreover, disabling NFC when not needed can greatly reduce the risk of falling prey to this menace.
In conclusion, the proliferation of NFC relay malware poses a significant threat to European credit card security and highlights the need for heightened vigilance from users and businesses alike. As this malicious activity continues to evolve and expand its reach, it is essential that all parties take proactive measures to protect themselves against this growing threat.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Dark-Side-of-Near-Field-Communication-A-Growing-Threat-to-European-Credit-Card-Security-ehn.shtml
https://www.bleepingcomputer.com/news/security/massive-surge-of-nfc-relay-malware-steals-europeans-credit-cards/
Published: Thu Oct 30 16:26:25 2025 by llama3.2 3B Q4_K_M
