Cybersecurity researchers at zLabs have uncovered an escalating threat to mobile payment security: over 760 malicious Android applications exploiting Near Field Communication and Host Card Emulation to steal payment data and execute fraudulent transactions.
Since April 2024, this sophisticated campaign has evolved from isolated incidents into a coordinated global operation targeting financial institutions across multiple countries.
The malware campaign has expanded its geographical footprint beyond initial observations, now actively targeting users in Russia, Poland, the Czech Republic, Slovakia, and Brazil.
Threat actors have deployed approximately 70 command-and-control servers alongside dozens of Telegram bots and private channels for data exfiltration and operational coordination.
These malicious applications impersonate approximately 20 legitimate entities, primarily Russian banks including VTB Bank, Tinkoff Bank, and Promsvyazbank, as well as international targets such as Santander, PKO Bank Polski, Bradesco, and mobile payment platforms like Google Pay.
Technical Operation and Data Exfiltration Methods
The malicious applications employ multiple operational approaches to compromise payment credentials. Some variants function as scanner and tapper tools, where one application extracts card data while another interfaces with Point of Sale systems to complete unauthorized purchases.
Alternative variants focus exclusively on harvesting card information and transmitting it directly to designated Telegram channels, where automated messages deliver device identifiers, card numbers, expiration dates, and EMV fields to threat actors.
These applications minimize user interaction by displaying simplified full-screen interfaces that mimic legitimate banking portals, often utilizing WebView components.
The malware prompts users to designate the application as the default NFC payment method while background services silently intercept NFC events.
The attack chain registers a Host Card Emulation HostApduService that activates during NFC payment events, enabling real-time relay of Application Protocol Data Units between compromised devices and attacker-controlled infrastructure.
The command structure facilitates bidirectional communication between infected devices and command servers via WebSocket.
Critical commands include registration sequences, transmitting hardware identifiers and NFC capabilities, APDU relay operations that forward terminal requests to servers for crafted responses, and Telegram notification functions that deliver exfiltrated data to threat actor channels.
Additional commands manage device pairing status, PIN requests, and forced application updates.
Defense Evasion and Obfuscation Techniques
Threat actors implement sophisticated defense-evasion strategies, including name masquerading, to impersonate legitimate financial institutions and government services, such as Russia’s Gosuslugi portal and central banking authorities.
The malware employs code obfuscation and software packing techniques, specifically utilizing JSONPacker to conceal malicious functionality from static analysis tools.
This campaign represents a significant escalation in NFC-based financial fraud, demonstrating how threat actors exploit Android permissions to conduct device-level theft of payment credentials.
The continued growth trajectory suggests NFC relay abuse will remain a persistent threat to mobile payment ecosystems, requiring heightened scrutiny of applications requesting NFC payment privileges.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
