Cybersecurity firm zLabs reported a growing threat to mobile payment security: over 760 malicious Android apps exploiting NFC relay are targeting banks globally.
Global Operation Details
Since 2024-04, this campaign has evolved from isolated incidents to a coordinated scale, affecting countries like Russia, Poland, and Brazil. These apps impersonate about 20 legitimate entities like VTB Bank and Tinkoff Bank.
- Threat actors set up around 70 command-and-control servers.
- Data exfiltration utilizes Telegram bots and private channels.
- Apps mimic legitimate banking portals to deceive users.
Technical Exploitation and Methods
NFC and Host Card Emulation (HCE) are central to these apps, which function as paired systems: one app extracts data, the other interfaces with point-of-sale systems. Background services intercept NFC events, using HostApduService to relay APDUs between devices. Names are masqueraded to appear as trusted banks or services.
- Command-and-control uses WebSocket for key functions.
- Critical commands include APDU relays and device registration.
- Use of code obfuscation with JSONPacker complicates analysis.
Banking Sector Implications
The NFC relay-based fraud campaign highlights vulnerabilities in mobile financial systems. It underscores the need for enhanced scrutiny of app permissions related to NFC payments, calling for vigilance among financial institutions and increased security measures to protect consumer data.
