What Are NFC Relay Attacks and Why Are They Rising?
NFC relay attacks on Android smartphones are a form of mobile payment theft in which criminals intercept or manipulate near-field communication signals to steal card data or redirect victims’ funds through compromised contactless payment systems. According to Kaspersky telemetry, NFC-based attacks that aim to steal money from Android users increased by 188% in the first four months of 2026 compared with the same period in 2025. Their products blocked 35,600 NFC-related attacks from January to April 2026, up from over 12,300 a year earlier. These attacks often rely on Android payment security weaknesses created by malicious apps and social engineering, not flaws in NFC technology itself. As mobile wallets and tap-to-pay features become more common, attackers see an opportunity to copy, relay, or replace legitimate NFC signals with their own, turning convenient contactless payments into a target.
How Direct NFC Attacks Steal Card Data
Direct NFC attacks work by tricking victims into handing over their card data and PIN through an infected Android device. Attackers reach out via messaging apps, pretending to be bank staff or service providers who need to “verify” a user’s identity. They convince the victim to install a fake financial app that is actually malware from families such as SuperCard X, PhantomCard, NGate, or modified versions of the NFCGate tool. Once installed, the app prompts the victim to tap their physical bank card against the compromised phone and enter the PIN. The malicious app captures the card details and authentication data, then sends them to the attacker. This method relies entirely on social engineering and user trust, showing how Android payment security can be undermined when people sideload apps or follow instructions from unknown contacts.
The New Threat: Reverse NFC and Relay-Based Fraud
Reverse NFC attacks focus on redirecting victims’ own payments to criminals by changing how the phone handles contactless transactions. In this scheme, scammers send a malicious app and persuade the victim to set it as the primary contactless payment method on their Android phone. The app then generates an NFC signal that ATMs interpret as the attacker’s card instead of the victim’s. Under a social engineering pretext, such as moving money to a “secure account,” victims are guided to an ATM and told to deposit funds using their phone. In reality, they transfer money to accounts controlled by criminals. Kaspersky experts note that reverse NFC has become more common and is harder to detect because the transactions look like normal user-initiated deposits, making this type of mobile payment theft more difficult for banks and users to dispute.
Tools, Trends, and the Growing NFC Threat Landscape
Modern NFC relay attacks often use modified legitimate tools and malware-as-a-service offerings, which lower the barrier for would-be attackers. The first publicly reported campaigns using altered NFC tools appeared in late 2023 and have since expanded, with malware families such as SuperCard X, PhantomCard, NGate, and NFCGate-based variants being detected by security products. Kaspersky reports that 35,600 NFC-based attacks on Android smartphones were blocked in the first four months of 2026, indicating that threat actors are actively reusing and refining these techniques to compromise Android payment security. Packaging NFC relay malware as a subscription or service means less experienced criminals can rent ready-made tools instead of building them. This trend suggests that both the volume and geographic spread of NFC relay campaigns are likely to grow, pushing users and financial institutions to strengthen contactless payment protection measures.
Practical Steps for Stronger Contactless Payment Protection
Users can reduce their exposure to NFC relay attacks by combining technical settings with cautious behavior. Disable NFC on your Android phone when you are not making contactless payments, so attackers have fewer chances to misuse the feature. Use official app stores and avoid installing apps from links in messaging apps, social networks, SMS, or phone calls. Set transaction limits and alerts in your banking or wallet apps so unusual payments are easier to spot and stop. Make sure your default tap-to-pay app is a trusted, secure wallet, not an unknown or newly installed application. At ATMs, ignore instructions from strangers, regardless of the story they tell or authority they claim. Finally, install a reliable mobile security solution that can block phishing pages, detect malicious NFC tools, and stop malware before it reaches your contactless payment data.