/smstreet/media/agency_attachments/3LWGA69AjH55EG7xRGSA.png)
/smstreet/media/member_avatars/2025/05/09/2025-05-09t090606704z-smestreet-logo-transperantpng.png ){kind=logo}
Follow Us/smstreet/media/media_files/2025/12/05/cyble-2025-12-05-10-55-49.png)
Cyble Research and Intelligence Labs (CRIL) has identified a newly emerging and technically advanced Android malware family, dubbed RelayNFC, which is actively targeting mobile payment users across Brazil.
The malware enables real-time NFC relay attacks, capturing victims' card details and PINs by tricking them into tapping their contactless payment cards against infected Android devices. RelayNFC then transmits the stolen credentials directly to attacker-controlled servers, allowing fraudulent transactions to occur as if the physical card were present.
This discovery marks a significant evolution in mobile payment fraud, combining social engineering, NFC manipulation, and advanced code obfuscation to bypass traditional mobile security mechanisms.
Campaign Overview
Unlike traditional Android banking trojans that rely on overlay attacks, keylogging, or abuse of accessibility services, RelayNFC employs a unique operational workflow. Victims are lured into installing malicious apps hosted on phishing sites that masquerade as legitimate card security portals. Once installed, the app requests the user to "secure" their contactless card by tapping it on the device.
The malware immediately initiates an NFC relay session, capturing payment card information and PIN data. This information is relayed in real time to attacker-controlled infrastructure, enabling fraudulent contactless transactions.
"RelayNFC marks a significant shift in how threat actors are targeting mobile payments," said Daksh Nakra, Senior Manager of Research and Intelligence at Cyble. "By combining social engineering with real-time NFC relay techniques and modern development frameworks, the attackers have created a highly evasive malware strain. This campaign underscores the growing need for stronger mobile security awareness and proactive defenses across the financial ecosystem."
Technical Sophistication
CRIL's analysis revealed several advanced techniques contributing to RelayNFC's stealth and operational efficiency:
● Hermes Bytecode Compilation: The malware is built using the React Native framework with Hermes-compiled bytecode, increasing complexity for analysts and evading standard static detection systems.
● Real-Time NFC Relay Logic: Captured card data and entered PINs are relayed instantly to attacker servers, enabling "card-present" style fraud.
● Phishing-Based Distribution: Malware samples are exclusively distributed via phishing websites impersonating card security portals, eliminating reliance on app stores.
● Variant Experimentation: A related sample indicates early experimentation with Host Card Emulation (HCE), suggesting future expansion toward more advanced mobile payment fraud techniques.
● Zero-Detection Footprint: Upon discovery, RelayNFC samples showed zero detections on common scanning platforms.
Threat actors behind RelayNFC demonstrate an evolving understanding of mobile payment systems, NFC protocols, and evasion strategies, marking this one of the more innovative fraud campaigns to emerge in 2025.
Geographic and Targeting Focus
RelayNFC primarily targets individuals and small businesses across Brazil, a region with rapidly growing adoption of contactless card payments and mobile payment applications.
Key targeting observations include:
● Consumers using contactless credit/debit cards
● Individuals interacting with unsolicited "card verification" portals
● Users reliant on Android devices for mobile payments
● Regions with high adoption of NFC-enabled POS systems
The attackers leverage localized social engineering themes, Brazilian Portuguese language lures, and region-specific payment terminology to increase the likelihood of interaction with victims.
Multi-Stage Social Engineering Strategy
The attack chain reflects layered social engineering aimed at building credibility:
● Fake "card security validation" websites prompt users to download the malicious APK
● The app requests users to tap their physical cards for "secure activation."
● Victims are guided step-by-step to enter PINs and card details
● The malicious app displays reassuring messages to delay suspicion
This approach allows attackers to harvest high-value payment credentials using a method that feels legitimate and intuitive to users.
Recommendations for Users and Organizations
Cyble advises immediate caution and the following protective measures:
For End Users:
● Never download APK files from unsolicited links or unknown websites
● Treat "card verification" or "security validation" prompts as suspicious
● Avoid tapping contactless cards on any device or app not provided by your bank
● Report suspicious apps or payment-related prompts immediately
For Financial Institutions & Security Teams:
● Educate customers about emerging NFC relay fraud techniques
● Monitor for unauthorized contactless transactions and relay-style patterns
● Implement behavioral analytics for abnormal transaction flows
● Strengthen detection of phishing domains delivering malicious APK files
● Conduct retroactive threat hunts using available IoCs