435/68 Friday, October 31, 2025
Mobile security firm Zimperium has uncovered a fast-spreading cyber threat targeting Android users who use the Tap-to-Pay payment feature. Since April 2024, the company’s researchers have been tracking more than 760 malicious apps designed to exploit Near Field Communication (NFC) and Host Card Emulation (HCE) capabilities built into Android devices. These apps hijack contactless payment processes in real time—effectively turning victims’ smartphones into tools for financial fraud.
The Tap-and-Steal attacks work by disguising the malware as legitimate banking or government service apps, such as Google Pay, Santander, or national e-service applications. Once installed, these fake apps trick users into setting them as the default payment method. When the user taps their phone to pay at a Point-of-Sale (POS) terminal, the malware activates an NFC Relay function that instantly transmits the victim’s credit card data (including EMV information) to a hacker-controlled server. The attacker then uses a secondary device to replay the data and perform real-world fraudulent transactions, all without ever accessing the victim’s physical card.
This attack is considered far more dangerous than traditional banking malware, which typically uses fake overlays or SMS interception. By exploiting Android’s core payment functionality, NFC Relay malware behaves like a virtual payment card, making theft faster and harder to detect. Zimperium reports that infections have already been observed across multiple countries worldwide.
The company advises Android users to:
- Download apps only from the official Google Play Store.
- Avoid third-party app stores.
- Keep mobile security software updated.
- Be extremely cautious about any prompts requesting to change payment settings or default payment apps on the device.
Source https://hackread.com/nfc-relay-malware-clone-tap-to-pay-android/
