Europe has seen a surge in Android malware that steals payment data via NFC relay attacks. Researchers have discovered over 760 malicious apps that mimic Google Pay and banking apps and are specifically targeting card data theft from users in Eastern Europe. Unlike classic banking Trojans, these apps use Android Host Card Emulation (HCE), which allows emulation of contactless cards and interception of EMV fields for subsequent fraudulent transactions without the owner’s involvement.
Attack methods:
stealing EMV data and sending it to Telegram bots
relay tools that redirect POS terminal requests to the attackers’ server
“ghost-tap” — instant generation of responses for the POS terminal
fake banking and Google Pay applications registered as a standard payment service on Android
According to Zimperium, the following were recorded:
760+ malicious APKs
70+ C2 servers
dozens of private Telegram channels for data exfiltration
wave of attacks in Poland, the Czech Republic, Slovakia, Russia and other countries in the region
Attackers disguise applications as Google Pay, Santander, VTB, Tinkoff, ING, Bradesco and other banks.
The first such attacks were recorded in 2023 in Poland. Then the wave spread to the Czech Republic and the Russian Federation. Now the technique has become widespread, and the code is actively distributed in underground groups. NFC relay attacks are the same type of threat that can be used for offline fraud in stores, without requiring your logins or passwords.
Protection:
do not install APKs outside of Google Play
always download banks only from official links
check access rights (especially NFC and Foreground Service)
disable NFC if not in use
regularly run a Play Protect scan
NFC relay malware has ceased to be an experiment by cybercriminals – it has become a real financial threat to European users and banks. Given the scale of its distribution, Android users should expect new waves of attacks, especially those where fraudsters use Telegram infrastructure.
