Tap-and-Steal: Over 760 Android Apps Exploit NFC/HCE for Payment Card Theft in Global Financial Scam

Researchers from Zimperium zLabs have uncovered a rapidly growing cybercrime trend involving Android applications that abuse NFC (Near Field Communication) and Host Card Emulation (HCE) to steal payment card data and conduct fraudulent “tap-to-pay” transactions.

What began as isolated incidents has now ballooned into over 760 malicious apps observed in the wild — an alarming sign that NFC relay abuse is accelerating, not slowing down.

Zimperium’s investigation revealed that cybercriminals are expanding their operations beyond initial regions such as Russia, targeting victims across Poland, the Czech Republic, Slovakia, and Brazil. The company observed that “Campaigns previously documented by other vendors are now broadening their reach to additional regions.”

The researchers identified more than 70 command-and-control (C2) servers and dozens of Telegram bots and private channels used to exfiltrate stolen financial data and coordinate operations among criminal groups.

“Approximately 20 institutions have been impersonated — primarily Russian banks and financial services, but also organizations in Brazil, Poland, the Czech Republic, and Slovakia,” Zimperium reported.

The list of impersonated entities reads like a global banking directory. Among the targets are:

• Central Bank of Russia, VTB Bank, Promsvyazbank (PSB), and Tinkoff Bank (Russia)
• PKO Bank Polski (Poland)
• Československá obchodní banka (ČSOB) (Czech Republic)
• National Bank of Slovakia (NBS) (Slovakia)
• Bradesco Bank and Itaú Bank (Brazil)

Even international services such as Google Pay and ING Bank were spoofed to increase credibility.

To lure victims, the fake apps masquerade as legitimate banking or government services, often using convincing icons, brand names, and web interfaces. Once installed, they prompt users to set the malicious app as the default NFC payment handler.

Behind the scenes, these apps exploit Android’s NFC and HCE functionality to emulate a payment card, intercepting EMV (Europay, Mastercard, Visa) data fields directly from the device or card tap.

Zimperium explained: “The applications are designed to require minimal user interaction, typically displaying a simple full-screen ‘bank’ page… They prompt the user to set the app as the default NFC payment method, while background services silently handle NFC events.”

This approach allows attackers to relay NFC signals between the victim’s card and a fraudulent Point of Sale (POS) terminal elsewhere — effectively performing real-time “tap-to-pay” theft.

Within underground channels, threat actors refer to their victims as “Mamonts” — slang for “prey” or “target” in Russian cybercriminal circles.

Some variants of the malicious apps act as “scanner/tapper tools” sold or distributed among threat actors, enabling card data extraction on one device and purchase execution on another.
Other variants focus purely on data collection, siphoning card numbers, expiration dates, and device IDs directly to private Telegram channels.

“Threat actors receive automated messages for each connected device, containing details such as device IDs, card numbers, expiration dates, and other EMV fields,” Zimperium said, accompanied by screenshots of real-time Telegram notifications.

Zimperium’s telemetry revealed a complex command-and-control (C2) structure that coordinates communication between infected devices and attacker servers.

Each malicious app registers itself with a server, sending hardware identifiers, NFC capabilities, and geolocation data.

The C2 infrastructure supports a range of commands such as:

• register_device – Enrolls the infected phone in the attack network.
• apdu_command / apdu_response – Forwards or responds to payment terminal queries in real-time.
• get_pin / pin_response – Requests and transmits PIN data.
• update_required – Prompts victims to install “updates” that are actually new malicious payloads.

This communication pattern allows cybercriminals to perform coordinated relay attacks, dynamically pairing compromised devices with POS systems during fraudulent transactions.

A recurring trend in this campaign is the heavy use of Telegram bots and channels for both data exfiltration and operator coordination.

Zimperium notes that “dozens of Telegram bots and private channels are being used by operators for exfiltration and coordination.”

These private channels automatically receive victim data in real time, often tagged by device ID or geographic region, streamlining the criminal workflow.

Zimperium concludes that NFC-based payment theft is becoming a mainstream cybercrime tactic, especially in regions with high adoption of contactless payments.