NFC relay malware surge on Android
Malware Activity
Summary
Hide ▲
Show ▼
The NFC relay malware wave on Android has expanded to 760+ malicious apps, increasing theft of contactless payment data across Eastern Europe. The apps abuse Host Card Emulation (HCE) to emulate cards or relay APDU commands so attackers can authorize POS payments without the physical cardholder present. Researchers also found supporting infrastructure, including 70+ C2 servers and Telegram channels used to move stolen data and coordinate operations.
Related Happenings
NFCShare Android malware spreads via fake banking-app updates
Malware Activity
H score21
First: 09.06.2026 01:11
Last: 09.06.2026 01:11
Sources 1
About this happening:
The **NFCShare Android malware** is being spread as **fake banking-app updates on GitHub**, broadening attacks against **customers of multiple banks and financial institutions acr...
NFCShare Android malware spreads via fake banking-app updates
Malware ActivityAbout this happening: The **NFCShare Android malware** is being spread as **fake banking-app updates on GitHub**, broadening attacks against **customers of multiple banks and financial institutions acr...
NFCShare fake banking-app update phishing campaign
Campaign
H score40
First: 09.06.2026 01:11
Last: 09.06.2026 01:11
Sources 1
About this happening:
The **NFCShare** phishing campaign is using **fake banking-app updates** on **GitHub** to steal **payment card data** from customers of multiple banks across **Europe**, expanding...
NFCShare fake banking-app update phishing campaign
CampaignAbout this happening: The **NFCShare** phishing campaign is using **fake banking-app updates** on **GitHub** to steal **payment card data** from customers of multiple banks across **Europe**, expanding...
Magecart Stripe and Google Tag Manager card-skimming campaign
Campaign
H score36
First: 04.06.2026 23:47
Last: 04.06.2026 23:47
Sources 1
About this happening:
The **Magecart** campaign is abusing **Stripe's API infrastructure** and **Google Tag Manager** containers to steal checkout data from **Magento/Adobe Commerce** stores. The skimm...
Magecart Stripe and Google Tag Manager card-skimming campaign
CampaignAbout this happening: The **Magecart** campaign is abusing **Stripe's API infrastructure** and **Google Tag Manager** containers to steal checkout data from **Magento/Adobe Commerce** stores. The skimm...
NGate Android Brazil fake-app and fake-lottery campaign
Campaign
H score37
First: 21.04.2026 12:00
Last: 21.04.2026 12:00
Sources 1
About this happening:
A **NGate** campaign has been active since **November 2025**, targeting primarily **Android devices in Brazil** and using **fake-app** and **fake-lottery** lures to spread a malic...
NGate Android Brazil fake-app and fake-lottery campaign
CampaignAbout this happening: A **NGate** campaign has been active since **November 2025**, targeting primarily **Android devices in Brazil** and using **fake-app** and **fake-lottery** lures to spread a malic...
NGate malware trojanized HandyPay NFC-stealing variant
Malware Activity
H score34
First: 21.04.2026 12:00
Last: 21.04.2026 12:00
Sources 1
About this happening:
A **new NGate variant** is stealing **NFC payment data** from **Android users in Brazil**, raising the risk of **unauthorized purchases** and **ATM cash withdrawals**. The malware...
NGate malware trojanized HandyPay NFC-stealing variant
Malware ActivityAbout this happening: A **new NGate variant** is stealing **NFC payment data** from **Android users in Brazil**, raising the risk of **unauthorized purchases** and **ATM cash withdrawals**. The malware...
Timeline
-
30.10.2025 22:17 2 articles · 8mo ago
NFC relay malware steals payment card data across Eastern Europe
Campaign Scope UpdateResearchers identified over 760 malicious Android apps abusing Host Card Emulation (HCE) to capture EMV fields or relay APDU commands from POS terminals, enabling contactless payments without the physical cardholder present. The activity was first spotted in Poland in 2023 and later expanded to the Czech Republic, Russia, and other parts of Eastern Europe; supporting infrastructure included over 70 C2 servers, app distribution hubs, and Telegram bots or private channels used to exfiltrate stolen data and coordinate operations.
Show sources
- Massive surge of NFC relay malware steals Europeans’ credit cards — www.bleepingcomputer.com — 30.10.2025 22:17
- Massive surge of NFC relay malware steals Europeans’ credit cards — www.bleepingcomputer.com — 30.10.2025 22:17