How 700+ Android Banking Apps Exploit NFC Relay to Bypass Multi-Factor Authentication (MFA).

Author: CyberDudeBivash
Powered by: CyberDudeBivash Brand | cyberdudebivash.com
Related: cyberbivash.blogspot.com

Published by CyberDudeBivash • Date: Nov 1, 2025 (IST)

How 700+ Android Banking Targets Are Hit by NFC-Relay Malware That Bypasses MFA

Security researchers report a steep rise in NFC relay malware abusing Android’s Host Card Emulation (HCE) to hijack Tap-to-Pay and conduct real-time fraudulent transactions. Zimperium tracks 760+ malicious apps abusing these techniques since 2024—easily enough to impact hundreds of banking and wallet users globally. Families like RatOn and NGate show how criminals bypass device checks and even evade MFA by stealing tokens or relaying live payment data. 

CyberDudeBivash Ecosystem: Apps & Services · CyberBivash (Threat Intel) · CryptoBivash · News Portal · Subscribe: ThreatWire

TL;DR — What Makes NFC-Relay So Dangerous

• Live relay beats static theft: Malware on the victim phone reads payment/NFC data and relays it in real time to a fraudster device at the POS, impersonating the victim’s wallet. No need to clone a card; it’s the victim’s device + session. 
• MFA ≠ protection: Many Tap-to-Pay flows rely on device unlock/biometric as Cardholder Verification Method (CVM). Relay tricks the ecosystem into believing the transaction originates from an authenticated device—MFA already satisfied. 
• Scale: >760 malicious Android apps abusing NFC/HCE observed since 2024; campaigns span multiple regions. 

Contents

1. 1) How NFC-Relay & HCE Abuse Works
2. 2) Why MFA/Step-Up Often Fails
3. 3) Malware Families & Recent Activity
4. 4) Detections & Hunts (Android/Network/SOC)
5. 5) Mitigations & Policy Changes
6. FAQ
7. Sources

1) How NFC-Relay & HCE Abuse Works

1. Victim device infected: User sideloads a trojanized app (often posing as video/adult/TikTok18+); malware requests Accessibility/overlay permissions and NFC access. 
2. Relay channel established: Malware uses HCE to interface with wallet/SE emulation layers and streams APDU/transaction data to an attacker-controlled phone or emulator near a payment terminal. 
3. POS accepts transaction: Merchant terminal sees valid contactless data “from the victim’s device.” Fraudster completes payment while victim is elsewhere. 

Why this is hard to spot: transactions appear to come from a legitimate, authenticated device profile—less likely to trigger velocity/fraud scoring until after the fact. 

2) Why MFA/Step-Up Often Fails

• Device-based CVM is pre-satisfied: If the screen unlock/biometric occurred on the phone earlier (or was bypassed with overlays), wallets treat the device as “verified” at the time of relay. 
• Session/token theft: Some trojans steal wallet/session tokens or abuse Accessibility to approve prompts, making “second factor” moot for subsequent authorizations. 
• Low-value, no-PIN rails: Markets with low-value contactless thresholds are especially exposed; transactions complete without additional CVM.

3) Malware Families & Recent Activity

• RatOn — New Android banking trojan with NFC-relay capabilities, ATS automation, overlays, and token theft; active since July–Aug 2025 in Central Europe. 
• NGate — ESET-documented malware that relays NFC data from victim device to attacker at ATM/POS; detailed technical write-up. 
• PhantomCard — ThreatFabric reports NFC-driven Android malware emerging in Brazil; indicator of rising interest and tool availability. 
• Trend/scale — Zimperium zLabs: >760 malicious apps abusing NFC/HCE since 2024, not just one family. 

4) Detections & Hunts (Android / Network / SOC)

On Android Endpoints (MDM/EDR for Mobile)

• Alert on apps requesting NFC + Accessibility + Overlay combo, especially outside Play Store provenance.
• Detect HCE service registrations in non-wallet apps; flag unknown AIDs/APDU routing handlers.
• Watch for draw-over-apps & suspicious biometric prompts shortly before NFC use (overlay bypass).

Network/Payment Telemetry

• Correlate device fingerprint used in Tap-to-Pay with improbable geography/time (user phone in City A while contactless acceptance in City B within minutes). 
• Monitor for new BIN/merchant patterns spiking after wallet unlock events; add friction on first-seen MCC/BIN after device changes.

Banking App / Wallet Signals

• Telemetry for HCE invocation from background or while Accessibility service is active.
• Detect auto-approval flows (Accessibility-driven OK taps) that occur too quickly/consistently to be human.

Example (Concept) YARA-L-style mobile rule idea

# Flag suspicious HCE usage + overlays in non-wallet apps
condition:
  app.permissions containsAll ["android.permission.NFC",
                               "android.permission.BIND_ACCESSIBILITY_SERVICE",
                               "android.permission.SYSTEM_ALERT_WINDOW"]
  AND app.manifest containsAny ["host-apdu-service","offhost-apdu-service"]
  AND app.signing notIn trusted_publishers
  score: HIGH

5) Mitigations & Policy Changes (Do These Now)

1. Lock down installs: Disable sideloading on corporate Androids; enforce Play Protect and verified app sources; MAM/MDM blocklists for known NFC-relay trojans. 
2. Wallet hardening: Require fresh biometric prompt at transaction time (not just device unlock), and tie CVM to a secure-hardware signal when possible (TEE/SE). 
3. HCE allow-list: In enterprise-issued devices, permit only approved wallet packages to register HCE services; block unknown AIDs/APDU services.
4. Fraud controls: Add step-up for first-seen merchant/terminal or unusual MCC; shorten token lifetimes; monitor device integrity attestation before Tap-to-Pay.
5. User training: Teach that “free premium/TikTok18+” APKs = fraud; show screenshots of RatOn/overlay prompts; mandate reporting on any unexpected “unlock to pay” when not at a POS.

FAQ

Are legitimate banking apps “doing” NFC relay?

No. The “700+” refers to malicious apps abusing NFC/HCE to relay or impersonate wallets, per recent research. Legitimate banking/wallet apps are the targets, not the perpetrators. 

Does MFA stop NFC-relay attacks?

Not reliably. Relay attacks piggyback on device-level CVM or steal session tokens; to improve resilience, require on-transaction biometrics bound to secure hardware + risk-based step-up on first-seen terminals. 

Which regions are hit?

Campaigns have been observed across Europe and LATAM, with specific waves in Czechia/Slovakia and Brazil; indicators suggest global spread as tooling proliferates. 

Sources

• Zimperium zLabs — “Tap-and-Steal: The Rise of NFC Relay Malware on Mobile” (tracks 760+ malicious apps since 2024). 
• ESET Research — NGate Android malware relays NFC traffic to steal cash (technical analysis). 
• ThreatFabric / News coverage — RatOn Android trojan adds NFC relay + ATS, active 2025. 
• The Hacker News / SC/industry roundups — waves of NFC-relay malware, regional notes. 
• USENIX Security ’24 — Wallet/payment ecosystem security & CVM trust model. 
• ESET blog background on NFC payment data abuse in banking. 

CyberDudeBivash — Services, Apps & Ecosystem

• Mobile Threat Defense (NFC/HCE abuse detection, Android EMM baselines)
• Banking/Wallet App Hardening (CVM, attestation, anti-relay heuristics)
• Fraud Analytics (device fingerprint + merchant telemetry correlation)
• Incident Response (token purge, overlay/Accessibility abuse triage)

Apps & Products · Consulting & Services · ThreatWire Newsletter · CyberBivash (Threat Intel) · News Portal · CryptoBivash

Edureka: Mobile & SOC Courses Kaspersky: Endpoint/EDR AliExpress WW Alibaba WW

Ecosystem: cyberdudebivash.com | cyberbivash.blogspot.com | cryptobivash.code.blog | cyberdudebivash-news.blogspot.com | ThreatWire

Author: CyberDudeBivash • Powered by CyberDudeBivash • © 2025

 #CyberDudeBivash #CyberBivash #NFCRelay #AndroidMalware #HCE #TapToPay #BankingTrojan #TokenTheft #MFABypass #ThreatWire