Researchers at Zimperium report a sharp rise in Android malware aimed at contactless payments across Eastern Europe. More than 760 NFC-focused samples have been identified in recent months, with threat actors abusing legitimate Android mechanisms to skim payment data and execute unauthorized transactions. The attack tempo is not slowing; it is accelerating, making mobile tap-to-pay a priority risk area for consumers and financial institutions.
What is NFC malware and why it matters for mobile payments
Unlike classic banking trojans that rely on overlays and screen capture, NFC malware targets Android’s Host Card Emulation (HCE) feature. HCE lets a phone emulate a contactless card so it can interact with a POS terminal as if it were a physical card. When abused, the malware inserts itself into the data exchange, influencing critical parts of the payment protocol without obvious user indicators.
Core techniques: HCE abuse, EMV data theft, and APDU tunneling
Threat activity involves multiple technical vectors. First, samples intercept and exfiltrate EMV fields—the structured transaction data—often sending it to Telegram bots or attacker-controlled servers. This data can be repurposed for fraud or sold in underground markets.
Second, operators deploy APDU tunneling, relaying POS terminal commands to a remote server that returns valid real-time responses for authorization. This proxy-like mode enables payments to be completed without the physical card and without the device owner’s knowledge.
Third, some families mimic the “Ghost Tap” concept by dynamically modifying HCE responses on the fly to silently finalize a transaction at checkout, reducing the likelihood of detection during the interaction.
Campaign scale, infrastructure, and regional impact
Zimperium estimates the ecosystem spans 70+ command-and-control servers, distribution sites, and dozens of private Telegram channels used for coordination and data collection. Early incident reports date back to autumn 2023, initially impacting customers of major banks in the Czech Republic. In Russia, the first attacks using NFCGate surfaced in August 2024.
According to F6, by the end of Q1 2025, malicious NFCGate variants accounted for an estimated RUB 432 million in losses. From January to March, attackers averaged about 40 successful intrusions per day, with a mean loss of roughly RUB 120,000 per incident. These figures point to mature monetization and resilient distribution channels.
Impersonation of payment brands and default Tap-to-Pay abuse
Distribution frequently relies on convincing PWA lookalikes and fake banking clients that register themselves as the default Tap-to-Pay handler in Android. Impersonated brands include Google Pay and well-known banks such as Santander Bank, VTB, Tinkoff, Bank of Russia, ING Bank, Bradesco, and Promsvyazbank. Visual fidelity is often high, complicating user detection of spoofed apps.
How the malware spreads and moves stolen data
Primary vectors include phishing sites, third-party APK catalogs, messaging-app campaigns, and closed Telegram communities. Stolen data typically flows to Telegram bots, private channels, or attacker C2 servers for aggregation and subsequent use in fraudulent transactions.
Practical defenses: reducing risk in Android contactless payments
For Android users: Install apps only from Google Play and avoid side-loaded APKs or “clone” banking apps. Regularly verify which app is set as the default Tap-to-Pay handler and revoke suspicious assignments. Keep NFC disabled when not in use, minimize permissions for payment-related apps, enable Google Play Protect, and apply OS and security updates promptly.
Enable push notifications and transaction limits for all cards. If unusual activity appears, immediately block the card through your bank’s official app or hotline. Treat links to PWA “updates” in messengers with caution and verify domains before installation.
For organizations: Enforce MDM/EMM policies with approved-app whitelisting, restrict HCE usage to vetted applications, and monitor for anomalous HCE-service behavior that suggests APDU/EMV data relaying or tunneling. Coordinate with threat intelligence providers to track emerging NFC malware families and takedown infrastructure.
The expansion of NFC malware and the increasing number of campaigns demonstrate that attacks on contactless payments are becoming a systemic threat. Consistent updates, disciplined app hygiene, strict control of default payment handlers, and vigilant transaction monitoring markedly reduce exposure. Organizations and users that adopt these practices are better positioned to withstand evolving tap-to-pay fraud schemes.
