NFC relay attacks targeting Android smartphone users surged by 188% during the first four months of 2026, highlighting a growing cybersecurity threat that is increasingly being used by criminals to steal funds through contactless payment technologies.
NFC relay attacks rise sharply as cybercriminals target mobile payments
According to new findings released by Kaspersky, its cybersecurity solutions blocked approximately 35,600 attacks involving Android malware that uses Near Field Communication (NFC) techniques between January and April 2026. This compares with more than 12,300 attacks detected during the same period in 2025, indicating a significant escalation in both the scale and sophistication of these threats.
Cybersecurity experts warn that the rapid increase in NFC relay attacks reflects how cybercriminals are adapting existing technologies and social engineering tactics to exploit the growing use of digital payments and contactless banking services worldwide.
Kaspersky’s analysis identified several malware families behind the attacks, including SuperCard X, PhantomCard, NGate, and modified versions of the NFCGate tool. While users in Russia continue to experience the highest concentration of these threats, researchers noted that victims in Europe and Latin America are increasingly being targeted, raising concerns that the attacks could spread to additional regions throughout 2026.
The company had previously forecast an increase in attacks involving NFC-based payment systems, and recent telemetry data suggests that prediction is now materialising as cybercriminal groups expand their operations and refine their attack methods.
Security researchers identified two primary attack techniques currently being used. The first, known as the “direct NFC” method, involves scammers contacting potential victims through messaging applications. Fraudsters often pose as bank representatives, government officials, or security personnel and convince users to download malicious software disguised as a legitimate financial application.
Once the application is installed, victims are instructed to tap their bank card against their smartphone and enter their card PIN. This process allows attackers to capture sensitive payment card information, which can later be used for fraudulent transactions and financial theft.
A newer and more sophisticated method, referred to as the “reverse NFC” scheme, has become increasingly common. In this scenario, criminals persuade victims to install a malicious application and designate it as the default contactless payment service on their smartphone.
The malware then generates an NFC signal that automated teller machines (ATMs) interpret as belonging to a bank card controlled by the attackers. Victims are subsequently convinced to deposit money into what they believe is a secure account. In reality, the funds are transferred directly to accounts controlled by the scammers.
Kaspersky Chief Security Expert Sergey Golovanov said the reverse NFC method presents a greater challenge for fraud detection because victims willingly initiate the transactions themselves.
According to Golovanov, these transactions can appear legitimate to financial institutions, making them significantly more difficult to identify and prevent compared with traditional forms of payment fraud. He added that cybersecurity researchers expect the malware to continue evolving and potentially expand into additional geographic regions.
Cybersecurity experts note that the evolution of Android malware linked to NFC technology demonstrates how quickly threat actors can adapt emerging techniques. The first publicly reported incidents involving modified NFC tools emerged in Europe during late 2023 before spreading to Russia and other markets.
Researchers later discovered that NFC relay malware had become available through malware-as-a-service (MaaS) platforms, allowing cybercriminals with limited technical expertise to access sophisticated attack tools. This development has contributed to the wider adoption of NFC-based fraud techniques and increased the potential scale of future attacks.
As mobile banking and digital payments continue to grow globally, experts stress the importance of strengthening mobile cybersecurity practices. Users are advised to avoid downloading applications from unofficial sources, including links received through SMS messages, social media platforms, messaging applications, or unsolicited phone calls.
Security professionals also recommend never following instructions from unknown individuals at ATMs and ensuring smartphones are protected with reputable security software capable of detecting phishing attempts and malicious applications.
The sharp rise in NFC relay attacks serves as a reminder that cybercriminals are continually adapting their tactics to exploit new technologies, making vigilance and proactive security measures increasingly important for consumers and businesses alike.