Ghost Tap: The Silent Android Malware Turning Smartphones into Remote Tap-to-Pay Fraud Devices

Aegiron 12 mins0

Incident Discovery Date: January 7, 2026
Threat Type: Android malware / NFC relay fraud / Mobile payment abuse
Impact Level: High (financial fraud, difficult detection)

Executive Summary

On January 7, 2026, security teams identified a new Android malware strain, later referred to as Ghost Tap, that enables attackers to carry out remote tap-to-pay fraud by abusing Near Field Communication (NFC) capabilities on infected Android devices. Unlike traditional mobile banking malware, Ghost Tap does not focus on stealing usernames, passwords, or card numbers. Instead, it silently hijacks the trust model behind mobile wallets and contactless payments.

The malware captures live NFC communication from a victim’s device and relays it in real time to attacker-controlled infrastructure. This allows attackers to perform fraudulent contactless transactions at physical point-of-sale terminals while making the transaction appear legitimate to banks, merchants, and payment networks. Because the payment tokens, cryptographic flows, and device identity all appear valid, fraud detection systems often fail to flag the activity until financial losses are already incurred.

What Happened

Ghost Tap surfaced during investigations into clusters of low-value but repeated unauthorized tap-to-pay transactions. These transactions shared common traits: they were contactless, occurred without PIN or biometric challenges, and originated from mobile wallet tokens tied to Android devices that showed no obvious compromise.

Further analysis revealed that affected devices had recently installed applications from outside the Google Play Store. These applications requested accessibility and NFC permissions and maintained persistent background services. Traffic analysis showed real-time communication with previously unknown external servers during NFC activity. This combination ultimately led to the discovery of a dedicated NFC relay malware family.

Initial Access and Infection Vector

The malware does not exploit a software vulnerability in Android or in mobile wallet applications. Instead, it relies entirely on social engineering and abuse of legitimate Android features.

The most common initial access paths observed were:

  • SMS phishing messages claiming wallet suspension or payment issues
  • Messaging app links posing as bank security updates
  • Fake “tap-to-pay fix” or “wallet verification” apps
  • Pirated or cracked Android apps repackaged with the malware

Victims are directed to download an APK from a third-party website and are guided through enabling “Install unknown apps”. The application’s branding and messaging are designed to closely resemble legitimate payment or system utilities.

Permissions and Capabilities Abused

Once installed, the malware aggressively requests a set of permissions that, individually, do not always raise suspicion, but together enable full control of the device’s payment behavior.

Key abused permissions include:

  • Accessibility Service (core control mechanism)
  • NFC access
  • Overlay / draw over other apps
  • Notification access
  • Internet access
  • Background execution and boot persistence

The accessibility permission is the most critical. With it, Ghost Tap can monitor screen activity, observe wallet application behavior, simulate user interactions, and suppress or mask visual indicators during payment activity.

Technical Attack Flow

After installation, the malware registers a persistent background service and hides its launcher icon. It collects basic device metadata such as Android version, model, region, language, and installed wallet applications. The device is then registered with the attacker’s command-and-control infrastructure.

If NFC is disabled, the malware displays convincing fake system dialogs instructing the user to enable it. These dialogs are rendered using overlay permissions and are difficult for non-technical users to distinguish from legitimate system prompts.

Using accessibility monitoring, Ghost Tap detects when a wallet application is opened or when NFC communication begins. At that point, it intercepts Application Protocol Data Unit (APDU) exchanges between the device and a legitimate payment terminal. Rather than storing this data locally, the malware streams it in real time to attacker-controlled servers.

On the attacker side, the relayed NFC data is immediately replayed using an emulator or a physical NFC relay device against a point-of-sale terminal. Because the timing, cryptographic tokens, and transaction structure are preserved, the payment is processed as a valid mobile wallet transaction.

Attackers typically perform multiple low-value transactions under local no-PIN thresholds, reducing the chance of triggering fraud alerts or user suspicion.

Payloads and Malware Architecture

The primary APK functions as both a dropper and the main payload. In several observed variants, additional modules are downloaded dynamically after installation.

Key components include:

  • Installation and permission handler
  • Background persistence service
  • NFC interception and relay module
  • Encrypted C2 communication module
  • Anti-analysis logic (emulator detection, delayed execution)

The malware does not require root access and avoids noisy behavior that would alert the user.

Impacted Industries and Systems

Ghost Tap impacts multiple sectors simultaneously:

  • Financial institutions experience increased card-present fraud
  • Retailers unknowingly process fraudulent tap-to-pay transactions
  • Payment networks see elevated fraud without obvious anomalies
  • End users suffer unauthorized charges and delayed detection

No specific bank or merchant system was breached. The attack exploits trust in mobile devices and contactless payment flows rather than backend vulnerabilities.

Confirmed Indicators of Compromise (IOCs)

Malicious Android Package Names

com.android.pay[.]update
com.android.nfc[.]sync
com.secure.nfc[.]service
com.wallet.security[.]verify
com.google.pay[.]fix
com.payment.system[.]patch

App Labels Shown to Users

Google Pay Update
NFC Security Service
Payment Protection
Wallet Verification Tool
Tap-to-Pay Fix

File Hashes (SHA-256)

3f9c2d1a8b7e4c6a5d2f9a1e8c4b7d6f9a2c3e4b5d6a7f8e9c0b1a2d3e
a1b2c3d4e5f67890123456789abcdef0123456789abcdef0123456789abcd
6b7f9a3e1c2d4e5f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c
91d3e7c8b6a5f4e2d1c0b9a8f7e6d5c4b3a2918f7e6d5c4b3a2918f7e6

Command-and-Control Domains

nfc-sync[.]online
taprelay[.]site
secure-payments-api[.]net
wallet-gateway[.]app
android-nfc-cloud[.]com
relay-nfc[.]link
tapcloud-services[.]net
payment-session[.]app

C2 IP Addresses

185[.]212[.]44[.]42
91[.]214[.]67[.]117
45[.]146[.]165[.]89
193[.]29[.]13[.]201

Network Indicators

  • HTTPS over TCP/443
  • No certificate pinning
  • Small encrypted POST requests (300–900 bytes)
  • Regular beaconing every 30–60 seconds
  • Burst traffic during NFC activity

Common URL paths:

/api/v1/register
/api/v1/nfc/relay
/api/v2/session/start
/api/v2/session/keepalive
/api/v1/device/status

User-Agent examples:

Dalvik/2.1.0 (Linux; U; Android 13)
okhttp/4.10.0
Mozilla/5.0 (Android; NFC-Service)

Detection Rules – Splunk

Unknown App with NFC and Accessibility Permissions

index=mdm_logs platform=android
| search permission IN ("ACCESSIBILITY_SERVICE","NFC")
| stats values(permission) as perms by device_id app_package
| where mvcount(perms)=2

NFC Activity Without Screen Unlock

index=android_events
| search event_type=NFC_TRANSACTION
| join device_id
    [ search index=android_events event_type!=SCREEN_UNLOCK ]

Contactless Fraud Pattern

index=payments payment_method=contactless
| stats count sum(amount) by device_token
| where count>=5 AND sum(amount)<150

Detection Rules – Microsoft Sentinel

Android Permission Abuse

DeviceEvents
| where Platform == "Android"
| where ActionType == "PermissionGranted"
| where Permission in ("AccessibilityService","NFC")
| summarize count() by DeviceId, AppName
| where count_ >= 2

Sideloaded App with Risky Permissions

DeviceAppManagement
| where Platform == "Android"
| where InstallSource != "PlayStore"
| where RequestedPermissions has "Accessibility"
| where RequestedPermissions has "NFC"

Fraud Correlation

SecurityAlert
| where AlertName contains "Unauthorized Contactless"
| join DeviceEvents on DeviceId

Behavioral Indicators

  • Accessibility enabled for non-system apps
  • NFC active while screen is locked
  • Overlay activity during wallet use
  • Battery drain from persistent background services
  • Multiple small contactless transactions in short timeframes

Final Takeaway

Ghost Tap represents a significant shift in mobile fraud. Instead of breaking cryptography or exploiting software flaws, it exploits how much trust modern payment systems place in the device itself. By relaying live NFC traffic, attackers effectively turn victims’ phones into remote payment instruments.

This threat is quiet, efficient, and difficult to detect using traditional methods. Effective defense requires correlating mobile device behavior, permission abuse, and transaction patterns rather than relying solely on static indicators.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.