U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Android Apps misusing NFC and HCE to steal payment data on the rise

Zimperium zLabs found 760+ Android apps abusing NFC and HCE to steal payment data, showing a surge in NFC relay fraud since April 2024. Zimperium zLabs researchers spotted over 760 Android apps abusing Near-Field Communication (NFC) and Host Card Emulation (HCE) to steal payment data and commit fraud, showing rapid growth in NFC relay attacks […]

NFC relay malware

Zimperium zLabs found 760+ Android apps abusing NFC and HCE to steal payment data, showing a surge in NFC relay fraud since April 2024.

Zimperium zLabs researchers spotted over 760 Android apps abusing Near-Field Communication (NFC) and Host Card Emulation (HCE) to steal payment data and commit fraud, showing rapid growth in NFC relay attacks since April 2024.

Malware NFC targets banks, payment services and government portals worldwide, incl. Russian banks and regulators, European banks (PKO, ČSOB, NBS), Brazilian banks, Google Pay and others. Malicious apps impersonate trusted institutions to lure victims. Variants operate as paired “scanner/tapper” toolchains or standalone data collectors that exfiltrate EMV data to Telegram channels, sending device IDs, card numbers and expiry dates. Apps urge users to set them as default NFC payment handlers while background services process APDU exchanges.

Operators remotely control the apps through a command-and-control server. They send simple commands to log in, register the device, relay card terminal requests (APDUs), provide PINs, check status, pair devices, push updates, or send Telegram alerts, letting them run fake transactions without the user doing much.

Continuous device registration and dynamic command flows complicate detection and response.

According to Zimperium, since April 2024, over 70 command-and-control (C2) servers and dozens of Telegram bots have been used to target over 20 institutions globally, mainly Russian banks, through hundreds of malicious NFC-enabled app variants.

“With the rapid growth of “Tap-to-Pay” transactions, NFC has become an increasingly attractive target for cybercriminals. These malicious applications exploit Android’s NFC permission to steal payment data directly from victims’ devices—illustrating why this attack technique has gained significant traction in recent months.” conlcudes the report published by Zimperium.

“Financial institutions, mobile vendors, and users should treat any unknown or unfamiliar application requesting NFC payment privileges as high risk.”

The researchers published IOCs for this campaign in this repository.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Android)