A recent surge in NFC (Near Field Communication)-enabled fraud has alarmed financial institutions and security experts alike, as cybercriminals rapidly innovate to exploit both ATMs and point-of-sale (POS) systems globally.
According to analysts from Resecurity, banks, credit unions, and FinTechs have faced significant economic losses, with one Fortune 100 U.S. institution losing millions to NFC-specific attacks in the first quarter of 2025 alone.
These sophisticated attacks are predominantly orchestrated by Chinese cybercriminal syndicates, whose operations are facilitated by advanced technical tools and often complicated by geopolitical, legal, and organizational barriers to enforcement.
From Mobile Wallet Exploitation to Advanced Malware
The proliferation of NFC technology now embedded in an estimated 1.9 billion smartphones has transformed how consumers make payments.
Mobile wallets like Google Pay and Apple Pay leverage NFC to offer convenience and heightened security, generating unique encrypted tokens for each transaction.
However, this adoption has inadvertently expanded the attack surface for cybercriminals, who now design and distribute malware and custom apps capable of emulating NFC smart cards.
Notable among these is the emergence of the “Ghost Tap” technique, allowing for the relaying of stolen card data and enabling fraudulent transactions at both ATMs and POS terminals without the victim’s knowledge.
Research from Germany’s Technical University of Darmstadt in 2020 on NFCgate originally developed for legitimate NFC traffic analysis has been weaponized into malware such as NGate.
This malware can relay NFC data in real time from a compromised phone to a remote attacker, effectively enabling remote unauthorized ATM withdrawals or purchases through NFC-enabled POS devices.
Other cybercriminal methodologies include the abuse of merchant vulnerabilities via malicious apps like “Track2NFC,” which pushes compromised terminals into offline mode to bypass verification checks, further complicating fraud detection and prevention.
Dark Web Ecosystem Fuels NFC Tool Development
Chinese-speaking cybercriminal forums and Telegram channels serve as key marketplaces for the distribution of sophisticated NFC fraud tools.
Resecurity’s investigators have identified apps such as Z-NFC, King NFC, and custom-developed Android software packages, often sold on a subscription basis with technical support and instructional guides.
These tools utilize Host Card Emulation (HCE) to mimic legitimate contactless cards using the ISO 14443 standard, allowing fraudsters to load compromised card data and automate attacks across multiple devices.
Large “farms” of Android phones, each preloaded with stolen card credentials, are used to scale fraudulent activity against major banks and e-wallet providers in the US, UK, EU, MENA, and Asia-Pacific regions.
Reverse engineering of the Z-NFC tool shows a sophisticated architecture: heavy obfuscation, dynamic payload loading, and runtime environment checks make it resistant to detection and static analysis.
The malware uses encrypted native libraries and advanced Java Native Interface (JNI) methods to inject malicious components only at runtime, ensuring critical logic remains hidden from standard security tools.
Its use of HCE means NFC card data can be rapidly spoofed or tailored for a variety of fraud scenarios, from unauthorized payments to physical security bypasses.
Cybercriminals also expand operations by recruiting “grey” merchants with legitimate NFC-enabled POS terminals, often through monetary incentives or threats.
These compromised or complicit terminals are instrumental in laundering funds and executing high-volume, low-value transactions that evade existing Cardholder Verification Method (CVM) thresholds.
The availability of soft POS software which turns regular Android phones into payment terminals further enables fraud on a global scale, especially when combined with stolen “Track 2” card data obtained from skimmers or dark web purchases.
Additionally, fraudsters have extended their focus to loyalty programs, leveraging NFC-enabled digital cards to steal or redeem points from programs operated by airlines, hotels, and retailers.
Such attacks highlight the broader implications of NFC fraud beyond immediate financial theft, impacting digital identity and customer rewards ecosystems.
The rise of NFC-enabled payment fraud, particularly through cross-border Chinese cybercriminal networks, underlines a critical need for enhanced security standards, robust regulatory frameworks, and international collaboration.
As criminals increasingly automate and industrialize NFC-based attacks on financial infrastructure, only multi-layered, proactive defense strategies can hope to contain this evolving threat and protect consumers and institutions worldwide.
Indicators of Compromise (IOC)
| Indicator | Description |
|---|---|
| Package Name | com.hk.nfc.paypay |
| App Name | Often disguised as utility/NFC tool |
| Native Libraries | libjiagu.so, libjgdtc.so |
| Path | /data/data/<pkg>/.jiagu/libjiagu_64.so |
| Class | com.stub.StubApp |
| Suspicious String | “entryRunApplication” – real app class |
| Permissions | NFC, Camera, Internet, Storage access |
| URL | https://znfcqwe.top |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
-enabled fraud has alarmed financial institutions and security experts alike.){kind=link}