Ddos 
Cyble Research and Intelligence Labs (CRIL) has identified a rapidly evolving NFC relay malware campaign targeting mobile payment users across Brazil.
The newly discovered malware family — named RelayNFC — turns a victim’s Android device into a remote card reader, enabling attackers to perform fraudulent contactless transactions as if the physical card were in their hands.
CRIL describes RelayNFC as “a lightweight yet highly evasive malware because of its Hermes-compiled payload… enabling it to stealthily capture victims’ card data and relay it in real time to an attacker-controlled server.”
Even more alarming: samples currently show zero detections on VirusTotal, indicating that security products are still blind to this threat.
CRIL’s investigation reveals at least five phishing sites, all mimicking financial security portals and distributing the same malicious APK, indicating a coordinated operation. These include:
- hxxps://maisseguraca[.]site/
- hxxp://proseguro[.]site/
- hxxps://test.ikotech[.]online/
- hxxps://maisseguro[.]site/
- hxxp://maisprotecao[.]site/
According to the report, these fake pages lure victims using “secure your card” messaging and then push the malware. CRIL notes: “Distribution relies entirely on phishing, tricking users into downloading RelayNFC malware.”
RelayNFC is unusual: it’s built in React Native, and its JavaScript code is compiled into Hermes bytecode, making reverse engineering far more difficult.
This modern mobile-app approach mirrors recent trends in Brazilian fintech-targeting malware such as Ngate and PhantomCard.
After installation, the malware spins up a phishing interface that instructs the user to tap their payment card against the phone which displays the Portuguese-language prompt “APROXIME O CARTÃO” (“bring the card closer”).
CRIL confirms: “RelayNFC operates as a ‘reader’, enabling the malware to capture the victim’s card data and relay it to the attacker’s server.” The malware then asks for the victim’s PIN, which is harvested and forwarded to attackers.
RelayNFC sets up a persistent WebSocket channel to a command-and-control (C2) server, enabling a real-time APDU relay attack — the same technique used by advanced point-of-sale (POS) emulators and card-cloning operations.
The malware identifies itself as a “reader” during handshake:
Whenever attackers initiate a payment via their fraudulent POS emulator, the C2 server sends APDU commands like this
RelayNFC forwards the APDU to the victim’s NFC chip, receives the card’s real response, and sends it back to the C2:
As CRIL explains: “This real-time, bidirectional relay… enables the attacker to execute a full payment flow remotely, as if the victim’s card were physically present at their POS terminal.”
CRIL also uncovered a second sample, “cartao-seguro.apk”, distributed via one of the same phishing sites. This version includes a RelayHostApduService component attempting to implement Host Card Emulation (HCE) — enabling the device to emulate a card itself rather than act as a reader. This suggests ongoing development and experimentation. As the report states: “A related variant attempts to implement Host Card Emulation (HCE), showing that the threat actor is exploring alternate NFC relay techniques.”
Brazil has long been a testing ground for financial malware, and RelayNFC represents the next escalation: real-time EMV transaction relays fully controlled via the victim’s device.
Donate