NFC fraud

Researchers from Zimperium zLabs have identified over 760 Android applications exploiting Near-Field Communication (NFC) and Host Card Emulation (HCE) technologies to illegally acquire payment data. Since April 2024, there has been a significant increase in NFC relay fraud, affecting banks, payment services, and government portals globally, including Russian banks and various European financial institutions. The malware operates as paired “scanner/tapper” toolchains or standalone data collectors, exfiltrating sensitive EMV data and transmitting it to Telegram channels. Operators control these applications via command-and-control (C2) servers, allowing for fraudulent transactions with minimal user involvement. More than 70 C2 servers and numerous Telegram bots have targeted over 20 institutions worldwide, primarily focusing on Russian banks. The rise of “Tap-to-Pay” transactions has made NFC a target for cybercriminals, with harmful applications exploiting Android’s NFC permissions to steal payment data. Zimperium has provided Indicators of Compromise (IOCs) related to this campaign for safeguarding systems.