Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

NFC relay malware surge on Android

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

The NFC relay malware wave on Android has expanded to 760+ malicious apps, increasing theft of contactless payment data across Eastern Europe. The apps abuse Host Card Emulation (HCE) to emulate cards or relay APDU commands so attackers can authorize POS payments without the physical cardholder present. Researchers also found supporting infrastructure, including 70+ C2 servers and Telegram channels used to move stolen data and coordinate operations.

Related Happenings

NGate Android Brazil fake-app and fake-lottery campaign

Campaign
First: 21.04.2026 12:00 Last: 21.04.2026 12:00 Sources 1

About this happening: A **NGate** campaign has been active since **November 2025**, targeting primarily **Android devices in Brazil** and using **fake-app** and **fake-lottery** lures to spread a malic...

Open Happening

NGate malware trojanized HandyPay NFC-stealing variant

Malware Activity
First: 21.04.2026 12:00 Last: 21.04.2026 12:00 Sources 1

About this happening: A **new NGate variant** is stealing **NFC payment data** from **Android users in Brazil**, raising the risk of **unauthorized purchases** and **ATM cash withdrawals**. The malware...

Open Happening

Perseus Android malware family actively distributed in the wild

Malware Activity
First: 19.03.2026 14:43 Last: 19.03.2026 14:43 Sources 1

About this happening: The **Perseus** **Android malware** family is being actively distributed in the wild, putting infected devices at risk of **device takeover** and **financial fraud**. It spreads t...

Open Happening

IPTV app lure campaign distributing Massiv Android banking malware

Campaign
First: 19.03.2026 12:13 Last: 19.03.2026 12:13 Sources 1

About this happening: A **recent IPTV app lure campaign** is distributing **Massiv Android banking malware**, putting users who seek **free or low-cost live sports broadcasts** at risk of device compro...

Open Happening

Perseus Android note-stealing and remote-control malware activity

Malware Activity
First: 19.03.2026 12:13 Last: 19.03.2026 12:13 Sources 1

About this happening: The **Perseus** Android malware is now being used to inspect user notes for secrets, creating theft risk for **passwords**, **recovery phrases**, and **financial data**. It is als...

Open Happening

Timeline

  1. 30.10.2025 22:17 2 articles · 6mo ago

    NFC relay malware steals payment card data across Eastern Europe

    Campaign Scope Update

    Researchers identified over 760 malicious Android apps abusing Host Card Emulation (HCE) to capture EMV fields or relay APDU commands from POS terminals, enabling contactless payments without the physical cardholder present. The activity was first spotted in Poland in 2023 and later expanded to the Czech Republic, Russia, and other parts of Eastern Europe; supporting infrastructure included over 70 C2 servers, app distribution hubs, and Telegram bots or private channels used to exfiltrate stolen data and coordinate operations.

    Show sources
    Open in new tab