A sophisticated cybercrime campaign leveraging Near Field Communication (NFC) technology has gained momentum across several continents, as researchers at zLabs have uncovered over 760 malicious Android applications aimed at stealing banking credentials and facilitating fraudulent transactions. What began as isolated incidents in April 2024 has now evolved into a widespread threat operation targeting financial institutions in countries such as Russia, Poland, the Czech Republic, Slovakia, Brazil, and beyond.
The malware ecosystem is supported by an extensive infrastructure that includes more than 70 command-and-control servers, numerous private Telegram channels for data exfiltration, and applications that impersonate around 20 legitimate banking institutions and government services.
Security researchers monitoring these campaigns have observed a consistent rise in malicious samples throughout 2024, indicating that threat actors are not only refining their techniques but also broadening their geographic reach. These malicious applications utilize social engineering tactics by masquerading as legitimate services from major financial institutions and government agencies. Notable impersonations include VTB Bank, Tinkoff Bank, Santander, PKO Bank Polski, Bradesco, Itaú, and even government services like Russia’s Gosuslugi portal and regulatory bodies such as the Central Bank of Russia and the National Bank of Slovakia.
By replicating the branding and interfaces of these trusted entities, attackers effectively deceive victims into granting the applications dangerous NFC permissions. The malware exploits Android’s Host Card Emulation functionality to intercept payment data during contactless transactions. Once installed, these applications request to become the default NFC payment method while presenting convincing full-screen banking interfaces, often rendered within WebViews to enhance authenticity.
From Data Theft to Automated Fraud Operations
The operational methods employed by various threat actor groups vary significantly. Some campaigns deploy paired applications, where one tool extracts card data while another interfaces with point-of-sale systems to facilitate fraudulent purchases. Other variants focus solely on data exfiltration, automatically transmitting stolen credentials to private Telegram channels. Cybercriminals receive structured messages containing device identifiers, complete card details, and transaction metadata.
The malware maintains persistent communication with its command-and-control infrastructure through a comprehensive protocol of commands, including device registration, APDU relay for terminal communication, PIN harvesting, and status monitoring. Commands such as “apducommand” and “apduresponse” enable real-time relay attacks, allowing the malicious app to forward payment terminal requests to remote servers controlled by attackers. This effectively permits criminals to conduct transactions using victims’ payment credentials from virtually anywhere in the world. In cybercriminal forums, the Russian slang term “Mamont”—meaning mammoth—has been adopted to refer to victims of these schemes, highlighting the organized nature of these operations rooted in Eastern European cybercrime networks.
Growing Threat Demands Heightened Vigilance
The rapid spread of NFC-based payment malware underscores the adaptability of cybercriminals to the increasing adoption of contactless payment technologies. As “Tap-to-Pay” transactions become commonplace globally, the attack surface for NFC exploitation continues to expand. The scale of this threat—evidenced by hundreds of malicious applications, extensive server infrastructure, and coordinated Telegram-based command channels—illustrates that this is no longer an experimental activity but rather an established and lucrative criminal enterprise.
In response, financial institutions must enhance their fraud detection systems to identify anomalous NFC transaction patterns. Mobile device manufacturers should implement stricter controls regarding NFC permissions. Additionally, users are advised to exercise extreme caution before granting any application access to NFC payment functionality, particularly when installing apps from unofficial sources or unfamiliar developers requesting payment-related privileges.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
