Rising NFC-based attacks threaten contactless payments — Kaspersky

ATTACKS on Android smartphones based on near-field communication (NFC) to steal funds surged by 188% in the first four months of this year, posing risks to contactless payments, according to cybersecurity company Kaspersky.

Kaspersky said its cybersecurity solutions blocked 35,600 attacks coming from Android malware families that use NFC techniques, including SuperCard X, PhantomCard, NGate, and other malicious modifications of NFCGate tool. This was up from just over 12,300 attacks blocked in the same period a year ago.

Users in Russia see the most NFC relay mobile threats, it said.

It added that it expects attacks on NFC payments to continue growing as cybercriminals’ schemes become more advanced.

“While previously attackers relied on ‘direct NFC’ scheme, now the ‘reverse NFC’ appears more common,” comments Sergey Golovanov, chief security expert at Kaspersky. “The danger of a newer, more sophisticated scheme is that this type of fraud is harder to detect and fight against, because victims themselves transfer money to the attackers’ accounts and such transactions are hard to distinguish from legitimate ones. We do not rule out that NFC relay malware itself continue to evolve and geography of attacks will expand. That’s why this threat should be further closely monitored.”

In direct NFC schemes, attackers contact victims via messaging apps pretending to do identity verification while tricking them into downloading malware that will lead them to tap their cards to an infected smartphone, leaking their card data.

Meanwhile, for reverse NFC schemes, fraudsters use social engineering techniques to trick victims into setting malicious applications as a primary contactless payment method on their compromised smartphones. These kinds of applications generate an NFC signal that ATMs recognize as the scammers’ card.

“Victims are then persuaded to go to an ATM (automated teller machine) and deposit funds into a ‘secure account’ using their infected phone. In reality, the scammers receive the victims’ money,” Kaspersky said.

“The first publicly reported attacks that used a modified legitimate NFC tool occurred in late 2023. Those attacks were primarily detected in Europe. Then users from Russia and other regions faced similar mobile malware attacks. Later it became known that cybercriminals packaged NFC relay malware into malware-as-a-service offering, potentially simplifying access to malicious tools for other attackers. NFC relay campaigns demonstrate how threat actors adapt and reuse new methods to steal users’ funds,” Dmitry Kalinin, cybersecurity expert at Kaspersky, said.

The company said users should protect themselves against NFC relay attacks and other mobile threats by not installing apps coming from unofficial sources, especially those sent via messaging apps, social media, or SMS.

Using security solutions on Android smartphones can also help flag and prevent visits to phishing sites and stop malware installation. — Bettina V. Roc