You Attached Your Card to Your Phone at the "Bank's" Request? Congratulations — a Hacker is Now Withdrawing Your Money via NFC in Another Country
21 thousand Telegram subscribers, $355 thousand stolen in a year, arrests from Prague to Tennessee.
21 thousand Telegram subscribers, $355 thousand stolen in a year, arrests from Prague to Tennessee.
Group-IB researchers have documented a rapid proliferation of Android malware on the dark market that utilizes NFC and simulates contactless payments. They link the development and sale of such applications to Chinese-speaking criminal communities on Telegram. Within these chats, the tools are often promoted as CardWallet or remote pay, while in English-language discussions they have become known as Ghost Tap.
The scheme is based on intercepting and relaying NFC communication. On the victim's side is a phone or wallet with payment cards whose data has already been compromised. On the attacker's side is a second smartphone that receives this communication and allows for a payment or cash withdrawal as if the card were physically next to the terminal. Typically, the link is a Command and Control (C2) server: through it, payment data is transmitted from the victim's device to the attacker's device and then used for transactions via POS terminals.
According to public investigations, the terminals are sometimes sold by the malware vendors' partners themselves, so buyers have an all-in-one infrastructure ready.
Group-IB notes that victims are often tricked into installing such applications through smishing (SMS) attacks and social engineering calls. In these scenarios, people are convinced to install the "necessary" program and hold their bank card to their phone. After that, the contactless interaction data is sent to the C2 server, and on the other end of the chain, the attacker conducts transactions either directly or through a network of "drops" who go to regular stores and pay at the checkout with a modified tap-to-pay app.
There is another method: instead of working with specific individuals, criminals use devices with mobile wallets where compromised cards have already been pre-loaded. Public reports of arrests in various countries also point to the use of networks of "mules" who purchase goods offline using such applications.
In both variations, the scheme almost always relies on two applications with different roles:
— reader — installed on the victim's device and interacts with the bank card.
— tapper — operates on the attacker's device and conducts transactions.
From August 2024 to August 2025, several such malware families were mentioned in professional communities: NGate, ZNFC, SuperCard X, and PhantomCard. In the Group-IB Threat Intelligence Portal, detailed profiles of TX-NFC, NFU Pay, and other samples are specifically indicated as available to clients.
Various countries have already issued warnings and made high-profile arrests. For example:
- In March 2024, Czech police reported the arrest of a 22-year-old suspect following a complaint about strange cash withdrawals without a physical card.
- In October 2024, the Texas Bankers Association published a bulletin on countering the NFC tool TRACK2 NFC.
- In November 2024, two Malaysian and three Chinese citizens were arrested in Singapore for contactless payments in luxury stores.
- In January 2025, Credit China – Sichuan described two attack cases with losses of at least $13,000.
- In March 2025, 11 Chinese citizens were arrested in Tennessee after purchasing tens of thousands of dollars worth of gift cards via Android applications.
The collected data indicates that the market is already quite well-formed and established. Group-IB highlights three major brands: TX-NFC, X-NFC, and NFU Pay. Besides them, there are smaller vendors distributing versions of the same programs under different names. Functional differences between versions are minimal and mainly concern the interface and scale of distribution.
- TX-NFC is one of the most prominent vendors. Its Telegram channel appeared on January 7, 2025, and at the time of discovery had over 21,000 subscribers. Support was conducted in English, operating in shifts. Access to the application cost from $45 per day to $1,050 for 3 months. TX-NFC was distributed as two separate applications: reader and tapper.
- X-NFC first appeared in December 2024 and quickly gained over 5,000 members. Its feature is the ability to switch the device's role between reader and tapper within a single application.
- NFU Pay was first spotted in April 2025. Despite having fewer subscribers, the application was actively resold by other vendors. NFU also supports switching between reader and tapper roles.
TX-NFC uses LoginActivity for authentication and MainActivity for processing NFC events. Upon detecting a card, the app sends the APDU command 2PAY.SYS.DDF01 and retrieves available AIDs, then launches WebSocketService to relay data between reader and tapper via C2.
NFU differs with an extended set of permissions:
Code:
android.permission.NFC
android.permission.NFC_PREFERRED_PAYMENT_INFO
android.permission.WAKE_LOCK
android.permission.ACCESS_NETWORK_STATE
android.permission.INTERNET
android.permission.READ_PHONE_STATE
android.permission.FOREGROUND_SERVICE
android.permission.FOREGROUND_SERVICE_DATA_SYNC
android.permission.USE_EXACT_ALARM
android.permission.VIBRATE
android.permission.SCHEDULE_EXACT_ALARMDuring the investigation, Group-IB employees posed as buyers and contacted vendors. The NFU Pay administrator claimed to make custom builds, including ones with authentication disabled on the reader side to speed up attacks. PhantomCard, according to researchers' assessment, is a variant of NFU. TX-NFC, in turn, bears a noticeable resemblance to the NFCProxy project available on GitHub.
POS terminals play a separate role in the scheme. Group-IB describes the Telegram channel Oedipus, associated with vendors of tap-to-pay tools. The channel has been active since November 2024 and advertises terminals from different regions of the world. According to data from the channel's messages, from November 2024 to August 2025, approximately $355,000 was processed through such terminals. Receipts of successful transactions are also found in the publications.
Group-IB Fraud Protection statistics for the period from May 2024 to December 2025 show a steady increase in the detection of tap-to-pay malware. New variants appear while old ones continue to operate.
In conclusion, Group-IB provides recommendations.
- For banks and payment systems, it advises enhancing customer awareness, using threat intelligence, monitoring anomalies in card additions and transactions, and tightening KYC (Know Your Customer) procedures.
- Users are advised to be cautious of suspicious messages and calls, not to install applications from unknown sources, regularly check card settings, and immediately contact their bank if they suspect a compromise.
