Redazione RHC : 1 November 2025 14:21
In Eastern European countries, there has been a rapid increase in malicious Android apps that exploit contactless data transfer technology to steal credit cards.
According to Zimperium, over 760 programs using NFC technology to gain unauthorized access to payment information have been detected in recent months.
Unlike banking Trojans that spoof interfaces or gain remote access to devices, this new type of malware uses the host card emulation mechanism, allowing a smartphone to imitate a bank card .
These apps intercept EMV protocol fields, respond to terminal requests with predefined commands, or forward them to a remote server, where the correct responses are generated to complete the transaction without cardholder intervention.
Such attacks were first detected in Poland in 2023, then appeared in the Czech Republic, and finally spread to Russia. Over time, several variations of the scheme emerged: programs that transmit payment data via Telegram; toolkits that forward APDU commands to paired devices; so-called “ghost” payments, in which system responses are spoofed in real time; and fake web apps and banking apps that register as the primary payment method on the device.
Zimperium analysts note that the popularity of such tools in Eastern Europe is rapidly growing . Although isolated examples were discovered in early 2023, their number now numbers in the hundreds. To coordinate their operations, attackers use over 70 command and control servers , app distribution platforms, and dozens of Telegram bots through which stolen data is transmitted.
Fraudulent apps often disguise themselves as well-known payment services and banks. Users are advised to download banking apps only from official websites, avoid installing APK files from third-party sources, and be wary of suspicious requests for NFC or access to background services.
Redazione