“Ghost Tap” Rising: New Wave of Android Malware Turns Phones into Digital Pickpockets
Ddos 
Image: Group-IB
Your smartphone might be the only accomplice a thief needs to drain your bank account, even if your card never leaves your wallet. A new report from Group-IB reveals a surging underground market for NFC-enabled Android malware, where Chinese threat actors are selling tools that allow criminals to conduct unauthorized tap-to-pay transactions remotely.
Dubbed “Ghost Tap” by researchers, these sophisticated applications bridge the physical gap between a victim’s credit card and a thief’s point-of-sale (POS) terminal, facilitating a high-tech heist that is spreading globally through Telegram channels.
The mechanism is as ingenious as it is devious. The scam relies on relaying Near Field Communication (NFC) signals over the internet. According to the report, “Chinese threat actors are deploying NFC-enabled Android applications to carry out unauthorized tap-to-pay transactions remotely using victim’s bank cards”.
The operation typically involves two distinct Android applications working in tandem:
- The Reader: Installed on a victim’s phone—often via social engineering tactics like smishing or vishing—this app waits for the victim to tap their card against their own device, ostensibly to “verify” identity or “update” payment details.
- The Tapper: Installed on the criminal’s device, this app emulates the victim’s card. When the criminal holds their phone near a payment terminal, the “Tapper” relays the signal to the “Reader,” which communicates with the actual card.
“This technique allows criminals to complete payments or cash-out remotely as though the victims’ cards were physically present,” Group-IB researchers explain.
This isn’t just a few isolated hackers; it’s a structured industry. Group-IB identified multiple vendors promoting these tools within Chinese cybercrime communities on Telegram. Major players like TX-NFC, X-NFC, and NFU Pay are openly competing for customers, offering subscription models ranging from $45 for a single day to over $1,000 for three months of access.
The report notes that “multiple app variants are promoted and sold across Chinese cybercrime communities on Telegram,” with over 54 distinct APK samples identified during the investigation. Some of these vendors even offer 24/7 customer support, operating on shifts to ensure criminals can cash out at any time.
Stealing card data is one thing; turning it into cash is another. The investigation uncovered a disturbing link between malware developers and illicit hardware vendors.
“Illicitly acquired POS terminals are used for cash-outs, with terminals from major institutions openly advertised on Telegram,” the report states.
One prominent group, known as Oedipus, was found selling POS terminals from financial institutions across the Middle East, North Africa, and Asia. The financial impact is immediate and severe. Group-IB researchers recorded “at least $355,000 in illegitimate transactions” from this single vendor between November 2024 and August 2025.
Authorities worldwide are catching up to these “mule” networks. In the United States, 11 individuals were arrested in Tennessee for purchasing thousands of dollars in gift cards using similar apps, while police in Singapore and the Czech Republic have apprehended suspects performing contactless payments without physical cards.
As these tools become more accessible and “user-friendly” for criminals, the line between digital fraud and physical theft continues to blur.
Donate