Mobile security researchers at Zimperium zLabs have uncovered a sophisticated campaign involving hundreds of malicious Android applications that leverage Near Field Communication (NFC) relay and Host Card Emulation (HCE) to steal payment data from tap-to-pay transactions, enabling real-time financial fraud. This development marks an evolution in mobile payment threats, directly impacting users of contactless payment systems globally.
Since April 2024, these applications have been tracked impersonating legitimate banking and government services, transforming infected devices into tools for attackers to forward sensitive card information to command-and-control servers for immediate unauthorized transactions. The operation highlights the increasing ingenuity of cybercriminals in exploiting prevalent mobile technologies.
The malicious apps are distributed through unofficial channels, masquerading as trusted financial platforms such as Google Pay, VTB Bank, and Santander, as well as government services like the Russian State Services Portal (Gosuslugi). Victims are enticed to install these fake applications and configure them as their default payment method, unknowingly granting attackers a mechanism to intercept payment details. Zimperium’s detailed analysis on their blog, “Tap-and-Steal: The Rise of NFC Relay Malware on Mobile Devices” Zimperium, outlines the technical specifics of this scheme.
Once activated, the malware exploits Android’s NFC and HCE functionalities. When a user initiates a tap-to-pay transaction, the infected device acts as an intermediary, capturing the payment data and relaying it to attacker-controlled command-and-control (C2) servers. These servers, numbering over 70 and often coordinated via Telegram bots, then facilitate the rapid execution of fraudulent transactions at physical point-of-sale terminals using another attacker-controlled device. This method bypasses traditional security measures that rely on physical card presence.
The global scope of this campaign is significant, with observed infections spanning Russia, Poland, the Czech Republic, Slovakia, and Brazil. This widespread distribution indicates a well-organized criminal enterprise seeking to capitalize on the growing adoption of mobile payment solutions. The use of authentic-looking user interfaces within a simple web view further enhances the deceptive nature of these applications, making them difficult for average users to distinguish from legitimate services. A similar tactic of impersonation in mobile threats was discussed in a previous Cyberwarzone report on sophisticated smishing campaigns.
The primary motivation behind these attacks is financial gain. Cybercriminals continuously adapt their methods to exploit new avenues for monetary profit, and the proliferation of mobile tap-to-pay systems presents a lucrative target. This evolution in payment fraud underscores the critical need for heightened user vigilance and robust mobile security practices, as previously highlighted in our coverage of AI-Targeted Cloaking Attacks and Qilin Ransomware activity.
The ongoing threat necessitates continuous monitoring and robust security measures to protect mobile payment ecosystems from evolving relay attacks.