Since April 2024, over 760 Android apps abusing NFC and Host Card Emulation (HCE) have been observed stealing payment card data and relaying transactions, targeting banks and payment services across Russia, Poland, Czech Republic, Slovakia, Brazil, and other regions. Campaigns use dozens of C2 servers, Telegram bots/channels for exfiltration, and impersonate institutions like Tinkoff, VTB, Central Bank of Russia, and Google Pay. #Tinkoff #VTB #CentralBankofRussia #GooglePay
Keypoints
- More than 760 malicious Android apps exploiting NFC/HCE to capture and relay EMV payment data have been identified since April 2024.
- Over 70 C2 servers and multiple distribution sources support the campaigns, with dozens of Telegram bots and private channels used for coordination and data exfiltration.
- Approximately 20 institutions have been impersonated, primarily Russian banks and regulators, plus targets in Brazil, Poland, Czech Republic, and Slovakia.
- Malicious apps operate in variants: some act as scanner/tapper tool pairs (card reader + POS) while others collect card data and forward it to Telegram channels for automated processing.
- Apps prompt users to set them as the default NFC payment app and run background HCE services to handle NFC events with minimal user interaction.
- C2-app command set includes commands for login, device registration, APDU relay, card info display/clear, PIN retrieval, pairing, and Telegram notifications—enabling real-time relay and attacker-controlled transactions.
- Zimperium’s MTD and zDefend provide on-device detection and protection against these NFC relay malware behaviors without relying on cloud lookups.
MITRE Techniques
- [T1660 ] Phishing – Adversaries send malicious content to users in order to gain access to their device. Quote: ‘Adversaries send malicious content to users in order to gain access to their device.’
- [T1624 ] Event Triggered Execution – Registers an HCE HostApduService (default NFC payment app), waking the malicious service on NFC payment events to relay APDUs. Quote: ‘Registers an HCE HostApduService (default NFC payment app), waking the malicious service on NFC payment events to relay APDUs.’
- [T1655.001 ] Masquerading: Match Legitimate Name or Location – Malware pretends to be legitimate Brazilian and Russian financial institution applications to deceive users. Quote: ‘Malware pretending to be the Brazilian and Russian financial institution application.’
- [T1406.002 ] Obfuscated Files or Information: Software Packing – Uses obfuscation and packers (JSONPacker) to conceal code. Quote: ‘It is using obfuscation and packers (JSONPacker) to conceal its code.’
- [T1426 ] Web Service Bidirectional Communication – Uses bidirectional web service communication for interaction between app and server. Quote: ‘Web Service Bidirectional Communication’
- [T1636.002 ] Web Service: Bidirectional Communication – Uses websocket communication to poll the threat actor’s server and receive commands. Quote: ‘It uses websocket communication to poll the TA’s server and get the commands to execute.’
- [T1646 ] Exfiltration Over C2 Channel – Sends exfiltrated card and device data over C2 channels and Telegram bots/channels. Quote: ‘Sending exfiltrated data over C&C server.’
Indicators of Compromise
- [Domains/IPs ] C2 and distribution infrastructure – over 70 C2 servers identified (examples not listed in article), and multiple distribution sources.
- [Telegram ] Exfiltration and coordination – dozens of Telegram bots and private channels used to receive card data and device notifications (example: private Telegram channels shown receiving automated messages).
- [App Names/Package Names ] Impersonating trusted apps – apps impersonate institutions such as Tinkoff, VTB, Central Bank of Russia, Google Pay (examples: apps presented as banks and government services).
- [File/Code Obfuscation ] Packed/obfuscated payloads – use of JSONPacker and other obfuscation techniques to hide malicious code (example: JSONPacker, and other packed samples).
- [EMV/Card Data ] Stolen payment data – exfiltrated EMV fields including card numbers, expiration dates, and device IDs posted to Telegram (example: device IDs and card numbers forwarded to attacker channels).
Read more: https://zimperium.com/blog/tap-and-steal-the-rise-of-nfc-relay-malware-on-mobile-devices