Chinese threat actors have been observed deploying a sophisticated Android malware that abuses Near-Field Communication (NFC) technology on infected devices to steal payment data and facilitate financial fraud. This campaign — sometimes tied to broader Chinese-speaking cybercriminal ecosystems — is active and continues to evolve.
- The malware, reportedly distributed through deceptive Android apps shared on messaging platforms like Telegram, tricks users into installing what appear to be legitimate applications. Once installed, it abuses NFC to intercept financial data.
- Separate cybersecurity reports show other malicious infrastructure (like Linux brute-forcing botnets) targeting servers worldwide, indicating a broadening threat landscape where financial data theft and infrastructure compromise go hand in hand.
- Chinese hackers are also flagged in unrelated infrastructure exploits (e.g., Cisco firewall exploitation).
How NFC-Enabled Malware Works
NFC technology allows devices in very close proximity to exchange data — it’s widely used for contactless payments, mobile wallets (like Google Pay or Apple Pay), and card-to-phone interactions. Attackers are now abusing this feature via Android malware that:
1. Intercepts NFC Payment Data
Malware intercepts NFC signals when a victim taps a payment card on an infected Android device. This data can include details tied to contactless card transactions.
- In several documented cases (e.g., SuperCard X, NGate), the malware visually appears as a benign app but contains hidden NFC-relay code.
2. Relays Stolen Data for Fraud
Once NFC payment data is captured:
- The malware relays it to an attacker-controlled system.
- Attackers then use that data to emulate the victim’s card on another device.
- This enables unauthorized purchases, POS (point-of-sale) transactions, or even ATM withdrawals without needing the physical card.
3. Delivered Through Social Engineering
Victims are typically lured by:
- SMS/WhatsApp phishing,
- Fake security alerts,
- Impersonated bank notifications.
These messages convince users to install a malicious “security/verification” app which secretly contains the NFC malware.
Trend: NFC Relay and Payment Fraud on the Rise
This isn’t an isolated incident:
- Global analysis shows hundreds of Android apps abusing NFC and HCE (Host Card Emulation) to steal payment data.
- NFC relay techniques have been linked to “Ghost-Tap” fraud campaigns where stolen card data is remotely used for transactions via money mules.
- Similar Android malware (e.g., NGate) has been tied to unauthorized ATM cash withdrawals by relaying NFC data harvested from victims’ phones.
How Users and Organizations Can Protect Against These Attacks
For Individual Users
- Only install apps from official app stores
- Don’t enable NFC unless needed; disable it when not in use
- Avoid tapping your card on unknown or suspicious “security” apps
- Update Android and security software regularly
- Be cautious of unsolicited messages asking for app installs or payment info
For Organizations & Banks
- Monitor and block suspect apps requesting NFC permissions
- Employ mobile security tools that detect NFC-relay malware
- Train customers about social engineering lures and phishing vectors
- Close suspicious transactions promptly with fraud detection systems
Bottom Line
NFC abuse via Android malware represents a new frontier in payment fraud — combining mobile malware, social engineering, and financial transaction protocols to steal data and execute fraud without the physical card ever leaving the victim’s pocket. The trend is global, sophisticated, and rapidly evolving, requiring both users and financial institutions to tighten mobile payment security practices.
