Tap-and-Steal: New NFC Banking Malware Exploits Android’s HCE for Ghost Payments

Across Eastern Europe, security researchers have observed a sharp surge in malicious Android applications exploiting contactless data transfer technologies to steal banking information. According to Zimperium, more than 760 apps have been detected in recent months leveraging NFC relay techniques to gain unauthorized access to payment data.

Unlike traditional banking trojans that spoof interfaces or seize remote control of devices, this new class of malware abuses the Host Card Emulation (HCE) mechanism, which allows a smartphone to emulate a physical bank card. These applications intercept EMV protocol fields, respond to terminal requests with pre-crafted commands, or forward them to remote servers where legitimate-looking responses are generated — enabling fraudulent transactions without the cardholder’s involvement.

Such attacks were first documented in Poland in 2023, then spread to the Czech Republic and later to Russia. Over time, several variants have emerged: programs transmitting payment data through Telegram, toolkits redirecting APDU commands to paired devices, so-called “ghost payments” where system responses are forged in real time, as well as web-based and counterfeit banking apps registering themselves as the device’s default payment method.

Zimperium analysts note that the popularity of these tools in Eastern Europe is growing at an alarming rate. Whereas only isolated samples were seen in early 2023, there are now hundreds. Attackers coordinate their operations via more than 70 command-and-control servers, dedicated app distribution platforms, and numerous Telegram bots used to exchange stolen credentials.

Fraudulent applications often disguise themselves as legitimate payment platforms or banking apps. Users are strongly advised to download financial applications only from official sources, avoid installing APK files from third parties, and remain cautious of suspicious requests for NFC or background service access. It is also recommended to regularly scan devices with Play Protect and disable NFC functionality when not in use.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy