700+ Malicious Android Apps Abusing NFC Relay to Exfiltrate Banking Login Credentials

A sophisticated malware campaign exploiting Near Field Communication technology on Android devices has expanded dramatically since its emergence in April 2024.

What began as isolated incidents has escalated into a widespread threat, with over 760 malicious applications now circulating in the wild.

These malicious apps abuse NFC and Host Card Emulation capabilities to illegally capture payment data and facilitate fraudulent transactions.

The campaign has broadened its geographical footprint beyond initial targets, now affecting users across Russia, Poland, Czech Republic, Slovakia, and Brazil.

The malware operates by masquerading as legitimate financial institution applications, tricking users into installing apps that appear to represent trusted banks and government agencies.

Once installed, these applications prompt victims to designate them as the default NFC payment method on their devices.

The malicious software then silently intercepts payment card data during tap-to-pay transactions, exfiltrating sensitive information including card numbers, expiration dates, and EMV fields to threat actors through private Telegram channels.

Zimperium analysts identified a sprawling infrastructure supporting these operations, uncovering over 70 command-and-control servers, dozens of Telegram bots used for coordination, and approximately 20 impersonated institutions.

Among the targeted entities are major Russian banks like VTB, Tinkoff, and Promsvyazbank, alongside international institutions such as Santander, Bradesco, PKO Bank Polski, and government portals including Russia’s Gosuslugi service.

The malware’s operational methods vary, with some variants functioning as scanner tools that extract card data for subsequent POS purchases, while others directly exfiltrate stolen credentials to attacker-controlled channels.

Communication Architecture and Command Structure

The malicious applications establish persistent connections with command-and-control servers through WebSocket communications, enabling real-time bidirectional exchanges.

The apps execute commands such as register_device, which transmits hardware identifiers, device models, NFC support status, and IP addresses to the server.

The apdu_command instruction forwards payment terminal requests to the C2 infrastructure, while apdu_response returns crafted replies that manipulate transaction flows.

Additional commands like card_info and get_pin facilitate the extraction of complete payment credentials, with threat actors receiving automated notifications containing full card details through Telegram integrations via the telegram_notification command.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.