Find notable cyber news and cases, enriched with sources, timelines, and signals.

NFC relay malware surge on Android

Malware Activity
First reported
Last updated
Happening score
H score 20
1 unique sources, 1 articles

Summary

Hide ▲

The NFC relay malware wave on Android has expanded to 760+ malicious apps, increasing theft of contactless payment data across Eastern Europe. The apps abuse Host Card Emulation (HCE) to emulate cards or relay APDU commands so attackers can authorize POS payments without the physical cardholder present. Researchers also found supporting infrastructure, including 70+ C2 servers and Telegram channels used to move stolen data and coordinate operations.

Related Happenings

NFCShare Android malware spreads via fake banking-app updates

Malware Activity
H score21 First: 09.06.2026 01:11 Last: 09.06.2026 01:11 Sources 1

About this happening: The **NFCShare Android malware** is being spread as **fake banking-app updates on GitHub**, broadening attacks against **customers of multiple banks and financial institutions acr...

NFCShare fake banking-app update phishing campaign

Campaign
H score40 First: 09.06.2026 01:11 Last: 09.06.2026 01:11 Sources 1

About this happening: The **NFCShare** phishing campaign is using **fake banking-app updates** on **GitHub** to steal **payment card data** from customers of multiple banks across **Europe**, expanding...

Magecart Stripe and Google Tag Manager card-skimming campaign

Campaign
H score36 First: 04.06.2026 23:47 Last: 04.06.2026 23:47 Sources 1

About this happening: The **Magecart** campaign is abusing **Stripe's API infrastructure** and **Google Tag Manager** containers to steal checkout data from **Magento/Adobe Commerce** stores. The skimm...

NGate Android Brazil fake-app and fake-lottery campaign

Campaign
H score37 First: 21.04.2026 12:00 Last: 21.04.2026 12:00 Sources 1

About this happening: A **NGate** campaign has been active since **November 2025**, targeting primarily **Android devices in Brazil** and using **fake-app** and **fake-lottery** lures to spread a malic...

NGate malware trojanized HandyPay NFC-stealing variant

Malware Activity
H score34 First: 21.04.2026 12:00 Last: 21.04.2026 12:00 Sources 1

About this happening: A **new NGate variant** is stealing **NFC payment data** from **Android users in Brazil**, raising the risk of **unauthorized purchases** and **ATM cash withdrawals**. The malware...

Timeline

  1. 30.10.2025 22:17 2 articles · 8mo ago

    NFC relay malware steals payment card data across Eastern Europe

    Campaign Scope Update

    Researchers identified over 760 malicious Android apps abusing Host Card Emulation (HCE) to capture EMV fields or relay APDU commands from POS terminals, enabling contactless payments without the physical cardholder present. The activity was first spotted in Poland in 2023 and later expanded to the Czech Republic, Russia, and other parts of Eastern Europe; supporting infrastructure included over 70 C2 servers, app distribution hubs, and Telegram bots or private channels used to exfiltrate stolen data and coordinate operations.

    Show sources