A new wave of Android malware abusing Near-Field Communication (NFC) technology is spreading quickly across Eastern Europe, with researchers uncovering more than 760 malicious apps designed to steal payment card information.
Mobile security firm Zimperium, a member of Google’s App Defense Alliance, says the threat has grown dramatically in recent months.
Unlike traditional banking trojans that steal login credentials or use remote access to make fraudulent transfers, this new NFC malware exploits Android’s Host Card Emulation (HCE) feature. It enables attackers to mimic or steal contactless credit card data, allowing unauthorized payments without the physical cardholder. These apps can intercept EMV payment data, forward terminal requests to remote servers, and send fake responses to point-of-sale (POS) systems, effectively tricking them into processing real transactions.
The first cases of this technique appeared in Poland in 2023 and later expanded to the Czech Republic, followed by widespread attacks in Russia and neighboring countries. Researchers have identified several types of NFC malware, including data harvesters that send stolen payment details to Telegram, relay toolkits that connect to remote devices, and fake bank apps that register themselves as default payment handlers on Android.
Zimperium reports that the number of malicious apps using NFC relay methods has surged, supported by more than 70 command-and-control servers and numerous Telegram channels used for data theft and coordination. Many of these fake apps disguise themselves as Google Pay or major banks such as Santander, ING, VTB, Tinkoff, Bradesco, and Promsvyazbank (PSB).
Android users are strongly advised to avoid installing apps from outside Google Play unless the publisher is verified, and to download banking apps only through official bank links. It’s also important to review app permissions for NFC access, use Google Play Protect for regular security scans, and disable NFC when not in use.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Zimperium has shared a complete list of the malicious APKs found in the wild for those who wish to verify whether their devices are at risk.
