Pierluigi Paganini November 03, 2025

Zimperium zLabs found 760+ Android apps abusing NFC and HCE to steal payment data, showing a surge in NFC relay fraud since April 2024.

Zimperium zLabs researchers spotted over 760 Android apps abusing Near-Field Communication (NFC) and Host Card Emulation (HCE) to steal payment data and commit fraud, showing rapid growth in NFC relay attacks since April 2024.

Malware NFC targets banks, payment services and government portals worldwide, incl. Russian banks and regulators, European banks (PKO, ČSOB, NBS), Brazilian banks, Google Pay and others. Malicious apps impersonate trusted institutions to lure victims. Variants operate as paired “scanner/tapper” toolchains or standalone data collectors that exfiltrate EMV data to Telegram channels, sending device IDs, card numbers and expiry dates. Apps urge users to set them as default NFC payment handlers while background services process APDU exchanges.

Operators remotely control the apps through a command-and-control server. They send simple commands to log in, register the device, relay card terminal requests (APDUs), provide PINs, check status, pair devices, push updates, or send Telegram alerts, letting them run fake transactions without the user doing much.

Continuous device registration and dynamic command flows complicate detection and response.

According to Zimperium, since April 2024, over 70 command-and-control (C2) servers and dozens of Telegram bots have been used to target over 20 institutions globally, mainly Russian banks, through hundreds of malicious NFC-enabled app variants.

“With the rapid growth of “Tap-to-Pay” transactions, NFC has become an increasingly attractive target for cybercriminals. These malicious applications exploit Android’s NFC permission to steal payment data directly from victims’ devices—illustrating why this attack technique has gained significant traction in recent months.” conlcudes the report published by Zimperium.

“Financial institutions, mobile vendors, and users should treat any unknown or unfamiliar application requesting NFC payment privileges as high risk.”

The researchers published IOCs for this campaign in this repository.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Android)