Cyber threat intelligence analysts at Resecurity warn of an uptick in Near Field Communication (NFC)-related fraud, with recent investigations pointing to highly adaptable Chinese cybercriminals exploiting contactless payment technologies on a global scale.
According to Resecurity, a growing number of banks, FinTech firms, and credit unions have reported sophisticated fraud operations leveraging NFC against ATMs and point-of-sale (POS) terminals.
Chinese-speaking cybercriminal groups, many of which are believed to be connected to state-sponsored or state-tolerated syndicates, are using advanced tools to carry out fraud at scale. These operations often involve "device farms" — clusters of Android phones configured with NFC-enabled cards — to automate illicit transactions.
The fraud scheme relies on the use of Host Card Emulation (HCE), a feature on Android that allows a smartphone to emulate a contactless smart card. By registering a service that extends the HostApduService class, malicious apps can respond to Application Protocol Data Unit (APDU) commands, which are the standard form of communication between NFC card readers and smart cards. This capability enables the phone to behave like a real NFC payment card during point-of-sale transactions, effectively fooling terminals into processing unauthorized payments.
Apps such as Mycard, Airpay, and Track2NFC — originally designed for secure and legitimate NFC card emulation — are being manipulated to commit fraud. Cybercriminals have also developed their own software tools, like Z-NFC and King NFC, which are sold via Telegram channels under subscription models. The tools allow attackers to emulate smart card transactions using Android phones and make fraudulent purchases undetected. Z-NFC provides not only the software package but also ongoing technical support and tutorials to assist buyers in executing fraud effectively. King NFC, previously marketed on the Dark Web, has a similar functionality.
Resecurity reports that affected regions include the United States, United Kingdom, European Union, Australia, Canada, Japan, and several others across Asia and the Middle East. Victims range from everyday consumers to major banking institutions. Notably, financial services such as Barclays, Revolut, HSBC, and WISE have been explicitly targeted.
The Resecurity findings come following Cleafy Threat Intelligence team’s report about a new and highly sophisticated Android malware campaign dubbed ‘SuperCard X’, which is leveraging an advanced NFC-relay attack to authorize fraudulent transactions at Point-of-Sale (POS) terminals and Automated Teller Machines (ATMs).
