New NFC-Relay Attack Campaign Detected by Researchers

Researchers at Cyble Research and Intelligence Labs (CRIL) have discovered a freshly launched NFC relay-attack campaign aimed at users in Brazil. 

The malware family — named RelayNFC — is distributed through phishing sites disguised as legitimate payment-card “security” applications. The researchers identified five such malicious domains distributing the app. 

Once installed, RelayNFC transforms the victim’s Android device into a remote “card reader.” It captures payment-card data when the user taps their card to the device, then relays that data in real time to an attacker-controlled server.  

After reading the card, the app displays a screen requesting the user’s PIN (4- or 6-digit), thereby harvesting authentication credentials. 

The malware communicates with the attacker’s server via WebSocket, using a “full real-time APDU relay channel.” This allows attackers to complete contactless payments as if they had the physical card in hand. 

RelayNFC is built using React Native, with its JavaScript code compiled via the Hermes engine into bytecode — a method that complicates static analysis and helps the malware evade detection.  
According to the report, the malicious app shows zero detections on the widely used scanning platform VirusTotal — underscoring how stealthy and novel the malware currently is.