Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Android tap-to-pay malware relays NFC card data for fraudulent payments

Malware Activity
First reported
Last updated
Happening score
H score 30
1 unique sources, 1 articles

Summary

Hide ▲

A wave of Android tap-to-pay malware is enabling unauthorized contactless payments by relaying NFC card data from victims’ phones to criminal devices. The operation uses paired reader and tapper apps and has produced 54+ malicious APK samples. Group-IB linked the activity to at least $355,000 in illegitimate transactions and cases in the Czech Republic, Singapore, Malaysia and the US.

Related Happenings

CallPhantom Google Play fraud campaign targeting Android users in India and Asia-Pacific

Campaign
First: 08.05.2026 18:08 Last: 08.05.2026 18:08 Sources 1

About this happening: The **CallPhantom** fraud campaign pushed **28 fake call-history Android apps** through the **Google Play Store**, causing **financial loss** for users who paid for fabricated dat...

Open Happening

NGate Android Brazil fake-app and fake-lottery campaign

Campaign
First: 21.04.2026 12:00 Last: 21.04.2026 12:00 Sources 1

About this happening: A **NGate** campaign has been active since **November 2025**, targeting primarily **Android devices in Brazil** and using **fake-app** and **fake-lottery** lures to spread a malic...

Open Happening

NGate malware trojanized HandyPay NFC-stealing variant

Malware Activity
First: 21.04.2026 12:00 Last: 21.04.2026 12:00 Sources 1

About this happening: A **new NGate variant** is stealing **NFC payment data** from **Android users in Brazil**, raising the risk of **unauthorized purchases** and **ATM cash withdrawals**. The malware...

Open Happening

FakeWallet Apple App Store wallet-stealing apps

Malware Activity
First: 21.04.2026 00:52 Last: 21.04.2026 00:52 Sources 1

About this happening: The **FakeWallet** app set turned the **Apple App Store** into a delivery channel for **26 malicious wallet lookalikes**, putting crypto holders at risk of account takeover and th...

Open Happening

Mirax Android banking trojan with residential proxy nodes

Malware Activity
First: 13.04.2026 17:30 Last: 13.04.2026 17:30 Sources 1

About this happening: Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...

Open Happening

Timeline

  1. 07.01.2026 18:00 2 articles · 4mo ago

    Group-IB discloses Android NFC-relay payment fraud

    Initial Disclosure

    Group-IB identified a new wave of Android malware sold in Chinese-language Telegram cybercrime communities that relays NFC card data from victims’ phones to criminal devices, enabling unauthorized tap-to-pay transactions without physical access to bank cards. Researchers found more than 54 malicious APK samples, vendors including TX-NFC, X-NFC and NFU Pay, and at least $355,000 in illegitimate transactions tied to one POS terminal vendor between November 2024 and August 2025; Group-IB advised user education, fraud monitoring, stronger merchant vetting and improved KYC checks.

    Show sources
    Open in new tab