The Ghost in the Terminal: How “Ghost Tap” Malware Hijacks Your NFC Card

Group-IB researchers have identified a burgeoning proliferation of Android malware within subterranean marketplaces designed to exploit Near Field Communication (NFC) technology for fraudulent contactless payments. This criminal ecosystem is primarily attributed to Mandarin-speaking syndicates operating via Telegram. Within these clandestine circles, the tools are frequently marketed under monikers such as “CardWallet” or “Remote Pay,” while the English-speaking security community has adopted the term “Ghost Tap” to describe the phenomenon.

The methodology hinges on the interception and “relaying” of NFC exchanges. The victim’s side involves a smartphone or a digital wallet containing compromised payment card data. Simultaneously, the perpetrator utilizes a secondary device to receive this relayed signal, facilitating transactions as though the physical card were present at the terminal. Typically, a Command and Control (C2) server serves as the atmospheric bridge, transmitting payment data from the victim’s hardware to the attacker’s device for use at Point-of-Sale (POS) terminals. Public investigations reveal that some malware vendors even supply their own POS terminals, offering a “turnkey” infrastructure to their clientele.

Group-IB notes that victims are often manipulated into installing these malicious applications through SMS phishing and social engineering calls. In these scenarios, individuals are coerced into downloading a “requisite” program and tapping their physical bank card against their phone. Once the contactless data is exfiltrated to the C2 server, the adversary—or a network of “mules”—conducts transactions at physical retail locations using a modified “tap-to-pay” application.

Alternatively, criminals utilize devices with pre-loaded mobile wallets containing stolen card credentials. Global law enforcement reports indicate a significant reliance on “mule” networks to procure high-value goods offline. In virtually every instance, the scheme relies on a dual-application architecture:

• Reader: Installed on the victim’s device to interface with the bank card.

• Tapper: Operated by the assailant to execute the fraudulent transactions.

Between August 2024 and August 2025, several prominent malware families emerged, including NGate, ZNFC, SuperCard X, and PhantomCard. Group-IB’s Threat Intelligence Portal further identifies TX-NFC and NFU Pay as high-risk variants.

International authorities have responded with significant apprehensions. Notable cases include a 2024 arrest in the Czech Republic involving unauthorized cash withdrawals, a bulletin from the Texas Bankers Association regarding the “TRACK2 NFC” tool, and the detainment of several foreign nationals in Singapore for high-end retail fraud. In early 2025, Chinese authorities in Sichuan documented losses exceeding $13,000 from similar incursions, while Tennessee police apprehended eleven individuals for laundering tens of thousands of dollars via gift card purchases.

The Spring 2025 Visa Payment Ecosystem Risk and Control report further corroborates the persistent use of NFCGate-based malware for relay fraud. The market has reached a state of relative maturity, dominated by three primary brands: TX-NFC, X-NFC, and NFU Pay.

TX-NFC is particularly notable; its Telegram channel, established in January 2025, amassed over 21,000 subscribers. It offers tiered subscription models ranging from $45 for daily access to $1,050 for a three-month license. X-NFC, emerging in December 2024, distinguishes itself by allowing a single application to toggle between “Reader” and “Tapper” roles. NFU Pay, appearing in April 2025, utilizes the MQTT protocol for data transmission between devices via WebSockets.

Technical analysis of TX-NFC revealed the use of the 360 Jiagu packer for obfuscation. The application initiates an APDU 2PAY.SYS.DDF01 command to extract Application Identifiers (AIDs) before establishing a WebSocket connection to relay data. NFU Pay employs an expansive array of permissions, including FOREGROUND_SERVICE_DATA_SYNC and USE_EXACT_ALARM, to maintain persistence and synchronize data.

Group-IB’s undercover engagement with vendors revealed that PhantomCard is likely a derivative of NFU Pay, while TX-NFC bears striking similarities to the open-source NFCProxy project. Furthermore, the Telegram channel “Oedipus” serves as a hub for advertising global POS terminals tailored for these tools; records suggest approximately $355,000 moved through these specific terminals over a ten-month period.

Statistics from Group-IB Fraud Protection indicate a sustained upward trajectory in the detection of tap-to-pay malware. To mitigate these threats, financial institutions are urged to enhance customer awareness, utilize advanced threat intelligence, and implement more rigorous “Know Your Customer” (KYC) protocols. Users are cautioned to remain skeptical of unsolicited communications, eschew third-party app repositories, and immediately report any anomalous card activity to their respective banks.