New NFC Malware Wave Puts European Android Users’ Payment Cards at Risk
Published on December 2, 2025
- Rapid Spread: NFC malware campaigns hit Poland, Czech Republic, Russia, exploiting Android HCE for cardless payments.
- Malware Capabilities: Captures EMV data, manipulates POS commands, and authorizes transactions without physical cards.
- Underground Network: 70+ servers, Telegram bots, and fake banking apps coordinate data theft operations across Europe.
Cybersecurity researchers are warning of a sharp rise in NFC relay malware targeting European users, with more than 760 malicious Android apps uncovered in recent months. The malware aims to steal payment card information by abusing Android’s contactless payment features.
The findings highlight a growing threat to consumers across Europe, especially as attackers refine techniques that no longer require stealing or skimming a physical card.
How the NFC Relay Attack Works
Unlike traditional banking trojans that depend on credential theft through overlays or remote access tools, this new wave of malware focuses on Android’s Host Card Emulation (HCE). HCE allows mobile devices to emulate contactless credit cards, which attackers are now exploiting to perform unauthorized transactions.
According to researchers, the malware can:
- Capture EMV data fields and respond to APDU commands from point-of-sale (POS) terminals.
- Forward POS requests to remote servers, which return real-time valid responses for ongoing transactions.
- Manipulate HCE responses to instantly authorize fraudulent payments.
- Use fake banking apps or Progressive Web Apps registered as the device’s default payment handler.
This makes it possible for attackers to approve payments even without the cardholder’s knowledge or the physical card being present.
Spread Across Europe and Beyond
The first known campaign appeared in Poland in 2023, followed by similar operations in the Czech Republic and more recently in Russia. The threat has since expanded, and analysts report multiple variants of the malware, including:
- Data harvesters that collect EMV data and send it to Telegram channels or other remote servers.
- Relay toolkits that pass APDU commands to paired devices controlled by attackers.
- Ghost-tap systems capable of authorizing POS payments remotely.
- Fake banking apps disguised as legitimate payment tools.
Zimperium, a member of Google’s App Defense Alliance, has reported rapid growth of NFC malware campaigns particularly across Eastern Europe, including Poland, Russia, the Czech Republic, and Slovakia.
Growing Underground Ecosystem
Researchers have traced the attacks back to more than 70 command-and-control servers and malware distribution hubs. They also found Telegram bots and private channels used to coordinate operations and transfer stolen data.
Many malicious apps impersonate legitimate services, including Google Pay and banks such as Santander, VTB, Tinkoff, ING, Bradesco, and Promsvyazbank.
Security analysts warn that the evolving ecosystem suggests a coordinated effort, with tools being sold or shared among cybercriminal groups.
As NFC payments continue to grow in popularity, experts recommend that Android users remain cautious, avoid sideloading apps, and verify the authenticity of any payment or banking application installed on their devices.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular