A new wave of Android malware has been enabling cybercriminals to carry out unauthorized tap-to-pay transactions without physical access to victims’ bank cards.
The activity, documented in an advisory published today by Group-IB researchers, involves NFC-enabled applications sold and promoted within Chinese-language cybercrime communities on Telegram.
More than 54 malicious APK samples have been identified, many disguised as legitimate financial or payment apps. Once installed, the malware allows attackers to relay near-field communication (NFC) data remotely, making fraudulent transactions appear as legitimate in-person payments.
Victims are typically targeted through smishing and vishing campaigns. They are persuaded to install the malicious app and tap their payment card against their phone. From there, card data is transmitted via a command-and-control (C2) server to a criminal-controlled device, which completes transactions using illicitly obtained point-of-sale (POS) terminals.
How the Tap-to-Pay Scheme Works
The scam generally relies on two coordinated applications:
In some cases, criminals bypass direct victim interaction altogether. Mobile wallets preloaded with compromised cards are instead used by mule networks to make purchases in physical stores across multiple countries.
Read more on NFC payment fraud: SuperCard X Enables Contactless ATM Fraud in Real-Time
Group-IB identified several prominent vendors operating on Telegram, including TX-NFC, X-NFC and NFU Pay. These groups sell access to tap-to-pay malware for fees ranging from short-term trials to multi-month subscriptions. TX-NFC alone has reportedly amassed more than 21,000 subscribers, offering customer support and tailored builds for different regions.
Between November 2024 and August 2025, at least $355,000 in illegitimate transactions were linked to one POS terminal vendor advertising openly on Telegram. Receipts of successful cash-outs were frequently shared to promote credibility.
A Growing Global Impact
Law enforcement advisories and arrests across Europe, Asia and the US point to the expanding reach of these schemes.
Cases in the Czech Republic, Singapore, Malaysia and the US have all involved suspects using mobile devices to conduct contactless payments without physical cards.
According to Group-IB, detections of tap-to-pay malware steadily increased from mid-2024 through late 2025. New variants continue to emerge while older ones remain active, suggesting the technique is spreading among fraud networks rather than being replaced.
To defend against this and similar threats, Group-IB recommended a combination of user education and enhanced fraud monitoring.
The firm advised financial institutions to raise awareness around smishing and vishing campaigns, monitor for rapid card enrolments in mobile wallets and watch for transactions occurring in quick succession across wide geographic areas.
Group-IB also urged stronger merchant vetting and improved know-your-customer (KYC) checks, alongside the use of threat intelligence and fraud protection tools to detect malicious applications and abnormal behavior on user devices.
