A major NFC relay malware surge is hitting Europe, exposing Android users to large-scale payment card theft. Researchers uncovered over 760 malicious apps that exploit the phone’s NFC capabilities to steal credit and debit card data. The attacks are spreading fast, and criminals are now turning the convenience of contactless payments into a gateway for financial fraud.
How NFC Relay Malware Works
This malware abuses Android’s Host Card Emulation (HCE) feature, which allows apps to act like physical cards for contactless transactions. Once installed, the malicious app collects sensitive payment data, including EMV information, and transmits it to a remote device or server.
Attackers can then use that data to perform real-time “relay” transactions, essentially authorizing payments as if the victim’s card were physically present at a terminal. This technique bypasses traditional banking security layers and enables instant fraud.
Main Tactics Used by Attackers
Researchers describe several recurring patterns in these new NFC malware families:
- Data harvesters: Steal EMV fields and upload them to command servers or Telegram channels.
- Relay frameworks: Mirror live communication between the victim’s phone and a fraudulent terminal.
- “Ghost-tap” operations: Inject real-time data to trick point-of-sale systems.
- Fake payment apps: Disguise themselves as Google Pay or regional banking tools to lure users.
Each method allows criminals to extract usable card data and perform transactions within seconds.
Regions Most Affected
The attacks were first spotted in Poland and the Czech Republic, before spreading across Slovakia, Russia, and neighboring countries. Researchers note a sharp increase in copycat variants, indicating that malware-as-a-service kits are enabling unskilled actors to join the campaign.
Why NFC Relay Malware Is Growing
Relay attacks are attractive because they offer immediate financial return. Unlike credential theft or phishing scams, these attacks don’t rely on stealing passwords. Instead, they exploit NFC and mobile payment systems directly.
The rise of contactless transactions and Android’s wide device ecosystem gives attackers a massive target pool. In 2025, the number of NFC-capable smartphones in Europe exceeded 400 million—providing fertile ground for this new wave of fraud.
How Users Get Infected
Most victims install these malicious apps outside official stores. Cybercriminals promote them on social media, Telegram channels, and fake banking sites. Once installed, the apps request permissions like NFC access, foreground service, and accessibility control. Many victims unknowingly set them as the default tap-to-pay handler, allowing them to intercept transactions silently.
How to Stay Protected
You can minimize your risk with a few key precautions:
- Install apps only from trusted sources such as Google Play or verified banking links.
- Disable NFC when not in use. Keep it off until you need it for a transaction.
- Review app permissions and uninstall any suspicious wallets or payment tools.
- Monitor bank statements for small or repeated charges from unfamiliar merchants.
- Enable transaction alerts to receive instant notifications of contactless payments.
- Security experts also advise using Play Protect or a reputable antivirus to detect relay malware early.
What Banks and Institutions Can Do
Banks should strengthen token validation, merchant velocity rules, and cryptogram verification. By tightening contactless transaction controls, they can limit the success of relay-based fraud. Education campaigns should warn users about fake wallet apps and the dangers of sideloading payment tools.
Final Thoughts
The ongoing NFC relay malware surge marks a turning point in mobile payment security. With more than 760 malicious Android apps already uncovered, criminals have found a fast, profitable way to steal card data.
Consumers must stay alert, limit NFC use, and download apps only from legitimate sources. Financial institutions, meanwhile, should adopt stronger anti-relay defenses and guide their customers toward safer contactless habits. As contactless payments continue to grow, vigilance will be key to staying ahead of this rapidly evolving threat.
