Chinese threat actors are conducting an aggressive campaign that distributes NFC-enabled Android malware capable of intercepting and remotely relaying payment card data via Telegram.
Identified as “Ghost Tap” and linked to threat groups including TX-NFC and NFU Pay, the malicious applications employ social engineering tactics to deceive users into installing APKs and unknowingly facilitating fraudulent transactions across international markets.
Security researchers at Group-IB have identified more than 54 unique malware samples associated with this operation, with some variants deliberately masquerading as legitimate banking and financial applications.
The malware family represents a significant evolution in mobile payment fraud, leveraging Near Field Communication (NFC) relay technology to enable contactless card fraud on a global scale.
How the Attack Works
The attack chain demonstrates sophisticated operational design. Victims are initially targeted through social engineering campaigns promoting what appear to be legitimate financial or utility applications distributed via compromised or malicious APK repositories.
Once installed, the malware establishes a relay mechanism between the victim’s NFC-enabled device and attacker-controlled command-and-control (C2) servers.
The technical implementation utilizes a two-device relay architecture. The victim’s smartphone acts as a reader device, positioned near target payment cards, while an attacker-controlled device functions as a transceiver communicating with point-of-sale (POS) terminals or ATMs.
By relaying card data through C2 infrastructure, threat actors circumvent proximity requirements inherent to legitimate NFC transactions, enabling fraudsters to conduct unauthorized purchases and cash withdrawals from anywhere globally.
Group-IB researchers documented that threat operators distribute their malware exclusively through Telegram channels, where subscription-based access models generate revenue.
TX-NFC, identified as the primary vendor, advertises tiered subscription plans ranging from $45 for single-day access to $1,050 for three-month access periods.
These models suggest a sophisticated criminal service provider offering NFC relay capabilities to a broader ecosystem of cybercriminals.
The malware variants incorporate customizable parameters, allowing buyers to configure attack parameters based on specific operational requirements.
The group offers 24-hour Telegram-based customer support, indicating professional service operations comparable to legitimate software vendors.
Technical analysis reveals the code implements encryption, command-and-control obfuscation, and anti-analysis mechanisms designed to evade detection by mobile security solutions.
Geographic and Victim Targeting
Telemetry data indicates the malware targets victims across multiple continents, with documented detections in Europe, Asia, and other regions.
Primary geographic targets include Brazil, Italy, Malaysia, Turkey, Uzbekistan, Greece, and Indonesia regions with significant contactless payment adoption and comparatively lower mobile security awareness.
The geographic distribution suggests threat actors have deliberately selected markets where NFC-based fraud detection systems may be underdeveloped.
This operation represents a critical convergence of mobile malware capabilities and payment fraud infrastructure.
Unlike traditional card skimming or credential theft, NFC relay technology enables fraudsters to bypass physical security requirements, two-factor authentication mechanisms, and real-time transaction monitoring systems dependent on possession verification.
The professionalized nature of the TX-NFC and NFU Pay operations evidenced by customer support infrastructure, subscription monetization, and technical sophistication indicates this represents organized cybercriminal enterprise rather than opportunistic malware campaigns.
Financial institutions and payment processors must prioritize mobile endpoint security, transaction monitoring for anomalous NFC relay patterns, and public awareness campaigns warning consumers against installing financial applications from untrusted sources.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.