Experts at Zimperium warn of a rise in NFC malware for Android in Eastern Europe. Over the past few months, researchers have discovered more than 760 such apps using NFC attacks to steal users’ payment data.
Researchers explain that, unlike traditional banking trojans that steal logins and passwords via phishing overlays or gain remote access to the device, NFC malware operates in a more sophisticated way. It exploits Android’s built-in Host Card Emulation (HCE) feature, which allows the emulation of contactless payment cards.
These malware variants operate in different ways. Some intercept EMV fields and exfiltrate the data to Telegram or attacker-controlled servers. Others relay APDU commands from POS terminals to remote servers, which generate valid responses for payment authorization — all without the physical card and without the owner’s knowledge.
There are also more advanced variants that use techniques like Ghost Tap, where manipulation of HCE responses occurs in real time to process a payment at the checkout.
Some samples of such malware masquerade as PWAs (Progressive Web Apps) or fake banking apps and register themselves in the system as the default payment handler on Android.
Recall that we have already covered these attacks more than once (1, 2, 3, 4, 5)—they first came to the attention of infosec experts in the fall of 2023, when reports began to emerge about breaches targeting customers of major Czech banks.
Initially, NFC attacks revolved around abusing the aforementioned open-source application NFCGate, which was created in 2015 by students of the Technical University of Darmstadt. It is intended for debugging NFC data transmission protocols. The app supports numerous features, but what interests attackers most is capturing an app’s NFC traffic and forwarding it to a remote device, which can be a server or the attacker’s own smartphone.
The first attacks using NFCGate in Russia were recorded in August 2024, and by the end of the first quarter of 2025, the total losses from the use of malicious versions of NFCGate amounted to 432 million rubles. As reported by F6 experts, from January to March criminals carried out an average of 40 successful attacks per day, and the average loss amounted to 120,000 rubles.
“What started as a few isolated [malware] samples has grown to more than 760 malicious apps. NFC attacks aren’t slowing down—they’re continuing to accelerate,” Zimperium experts note.
In their report, the researchers said they discovered more than 70 command-and-control servers and malware distribution platforms, as well as dozens of Telegram bots and private channels that attackers use to coordinate their operations and receive stolen data.
According to experts, NFC malware is mainly distributed through fake apps that imitate Google Pay or the mobile clients of major banks. In particular, attackers exploit brands such as Santander Bank, VTB, Tinkoff Bank, the Bank of Russia, ING Bank, Bradesco Bank, Promsvyazbank, and others. It is also noted that visually the malicious apps can be quite convincing.
Zimperium experts provided Android users with several security recommendations:
- never install APK files from third-party sources or untrusted publishers;
- install banking apps only via official links from bank websites;
- carefully review requested permissions — requests for NFC access or background service privileges should raise suspicion;
- regularly scan your device with Play Protect;
- turn off NFC if you’re not using it.