A dangerous new Android malware called DevilNFC has emerged, combining NFC relay attacks with a Kiosk Mode trap that locks victims inside a fake banking screen until their card data is stolen.
The malware targets customers across Europe and LATAM with technical precision rarely seen in independently built tools.
Unlike previous threats, DevilNFC does not rely on shared infrastructure or borrowed code — it is built entirely from the ground up by a distinct threat actor group.
The attack begins with a phishing message via SMS or WhatsApp, directing the victim to a landing page impersonating the Google Play Store.
The page presents the malicious app as a mandatory security update from a legitimate Spanish-language banking institution.
Once installed, the malware activates immediately and the victim loses control of their device without realizing it.
Analysts at Cleafy, whose Threat Intelligence and Response team identified and analyzed the malware, noted that DevilNFC is the more advanced of two newly documented NFC relay families, with the other being NFCMultiPay.
Cleafy said in a report shared with Cyber Security News (CSN) that despite sharing no code or infrastructure, both families are actively conducting NFC relay attacks against banking customers.
Their concurrent appearance across overlapping geographies marks a significant turning point in the NFC relay threat landscape.
DevilNFC Android Malware Uses Kiosk Mode
What makes DevilNFC especially alarming is how completely it isolates the victim. On launch, the malware locks the device using Android’s Kiosk Mode, displaying a social engineering template fetched from a remote server.
.webp)
The system UI disappears and the hardware back button is disabled, trapping the victim inside the fraudulent interface while the relay completes. Both malware families show development patterns consistent with generative AI-assisted tooling.
Over-engineered phishing templates in DevilNFC and LLM-characteristic emoji-formatted logging in NFCMultiPay point to operators using uncensored AI models alongside leaked malware codebases in public repositories, lowering the barrier for building functional Android malware considerably.
.webp)
Once the victim opens the app, DevilNFC activates Kiosk Mode to hide the system UI and override the hardware back button with an empty handler.
This traps the victim inside the malicious interface while the relay session completes silently. A fake verification pop-up rendered remotely from a C2 template then prompts the victim to enter their four-digit card PIN after the first card tap.
The PIN is exfiltrated to two destinations simultaneously: a dedicated C2 endpoint and the attacker’s private Telegram channel, sent in plaintext alongside the bank name and victim’s public IP address.
The interface then deliberately triggers a fake verification error, instructing the victim to hold their card for an extra ten seconds.
This is a designed extension of the relay window, ensuring the transaction completes before any success screen appears.
DevilNFC uses a Dual-Role APK architecture where a single application serves as both a passive NFC reader on the victim’s unrooted device and a card emulator on the attacker’s rooted hardware.
This is achieved through a hooking framework injecting DevilNFC’s relay module directly into Android’s NFC daemon process. The result is a relay pipeline capable of authorizing ATM withdrawals and chip-and-PIN transactions at any global point of sale.
AI-Assisted Development and the Broader Threat Shift
Both malware families carry indicators of AI-assisted development. In DevilNFC, phishing templates from the live C2 are over-engineered relative to their function, featuring CSS and JavaScript structured with architectural precision and deliberate edge-case error handling.
NFCMultiPay’s debug logs show emoji-categorized metric labels separated by ASCII borders, a pattern characteristic of LLM-generated logging scaffolding.
This trend is confirmed by ESET Research, which in April 2025 identified a new NGate variant targeting Brazilian users where injected code carries the same AI development indicators and Portuguese strings.
Local groups are no longer purchasing access to Chinese platforms — they are building their own tools. Researchers recommend that users avoid installing apps outside official stores, never enter a card PIN in a session they did not initiate, and report any device locked to a full-screen interface to their bank immediately.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | nfcrackatm[.]com | DevilNFC C2 / Relay Server |
| Domain | spicynagets[.]shop | DevilNFC C2 / Relay Server |
| IPv4 | 185.203.116[.]18 | NFCMultiPay C2 |
| IPv4 | 47.253.167[.]219 | NFCMultiPay C2 |
| MD5 | caa5e8cf3275339d251210072ebe88c2 | DevilNFC APK Sample |
| MD5 | 35dd9c3a56e88a39bf6c8fdad46b0398 | NFCMultiPay APK Sample |
| MD5 | 9d19527aeb4cabfb40bbaea6d73b5ff0 | NFCMultiPay APK Sample |
| Package Name | com.devilnfc.reader | DevilNFC APK Package Name |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
