Security researchers at zLabs have discovered that over 760 Android applications are involved in a malicious campaign targeting banking credentials through NFC technology, impacting users across multiple countries since April 2024. Victims span regions including Russia, Poland, and Brazil.
Malware Techniques and Targets
The applications impersonate about 20 banks and government entities, including major institutions like VTB Bank, Santander, and the Central Bank of Russia. By using social engineering tactics, these malicious apps convince users to grant dangerous NFC permissions, posing as legitimate payment methods.
Attackers employ Android's Host Card Emulation to hijack card information during contactless payments, capturing data such as card numbers and expiration dates. The malware's architecture includes over 70 command-and-control servers and uses dozens of Telegram channels for information transfer.
Impacted Countries and User Precautions
This widespread threat has affected banking app users in the Czech Republic, Slovakia, and more. Apps simulate full-screen banking interfaces to gain the default NFC status, posing a significant risk to unsuspecting users who may not recognize the deception.
Users are advised to be cautious when granting NFC permissions, especially to apps from unofficial sources. It's crucial to monitor for unexpected NFC activities and to rely only on reputable applications for financial transactions.
Bank and Manufacturer Response
As the threat grows, the need for proactive measures is clear. Financial institutions are encouraged to enhance fraud detection systems specifically for NFC transaction anomalies. Additionally, mobile device manufacturers should enforce stricter NFC permission controls to mitigate risks posed by such malware campaigns.
By addressing these vulnerabilities, a collective defense against such malware can be strengthened, safeguarding user data from exploitation.
