The Rise of NFC Relay Malware on Mobile Devices

Cybersecurity researchers are warning about a growing threat known as NFC relay malware, which targets mobile devices and contactless payment systems. This type of malware exploits the Near Field Communication (NFC) technology used in many smartphones for tap-to-pay transactions. Once installed, it can secretly capture payment information and allow criminals to carry out fraudulent purchases.  

According to researchers, hundreds of malicious Android applications have already been identified using this technique. Since 2024, more than 760 apps have been discovered that abuse NFC and the Android feature called Host Card Emulation (HCE), which normally allows a phone to behave like a contactless payment card.  

These malicious apps are usually disguised as legitimate banking or government services. Victims may be tricked into downloading them from unofficial sources and asked to set them as the device’s default payment app. Once active, the malware quietly runs in the background and intercepts payment data when the user taps their phone or card for a transaction.  

The stolen data is then sent to attacker-controlled servers or messaging platforms such as Telegram. Criminals can relay this information in real time to another device, which imitates the victim’s card at a payment terminal and completes fraudulent purchases without the victim being present.  

Researchers say the scale and organization behind these campaigns are growing quickly. The infrastructure supporting them includes dozens of command-and-control servers and communication channels used to coordinate attacks and collect stolen information.  

Security experts advise users to download apps only from official app stores, carefully review permission requests, and be cautious if an application asks to change the phone’s default payment settings. Taking these precautions can help reduce the risk of becoming a victim of this emerging mobile payment threat.