The contactless payments ecosystem lives with an uncomfortable contradiction: while banks and retailers promote tap to pay as a fast and secure option, cybercriminals are proving it can also be a very profitable attack vector. The latest example comes from Brazil and has a name of its own: RelayNFC, a new Android malware family capable of turning a smartphone into a remote reader for bank cards.
Researchers at Cyble Research and Intelligence Labs (CRIL) have documented an active and evolving campaign using RelayNFC to carry out real-time NFC relay attacks, with a clear goal: to perform fraudulent payments as if the victim’s physical card were present at the attacker’s payment terminal.
This is not a theoretical threat or just a concept demo: the code is in the wild, the command-and-control servers are active and, most worryingly, the samples analysed still show zero detections on VirusTotal, which means most mobile security solutions are not flagging it yet.
How RelayNFC works: from phishing to real-time theft
The campaign relies on a classic strategy: well-crafted phishing, localized to Brazil. Users land on Portuguese-language fake pages that present themselves as services to “protect” or “secure” their payment card. From there, they are prompted to download a malicious Android app.
Investigators found at least five different domains with a similar design and the same goal: distribute the RelayNFC APK under different names but always with the same function.
Once the app is installed, the process is clear and dangerous:
- NFC bait screen
The app displays an interface asking the user to hold their bank card close to the phone, with messages like “aproxime o cartão”. The device then behaves as an NFC reader, capturing the card data. - PIN theft
After reading the card, the app shows another screen asking the user to enter their 4- or 6-digit PIN, supposedly to “verify” or “activate” security. That PIN is sent directly to the attackers’ server. - Real-time relay channel
This is the technical core of RelayNFC. The malware establishes a persistent WebSocket connection with the command-and-control server. Over this channel, the infected device acts as an intermediary between the victim’s physical card and the attacker’s payment terminal.- The server sends APDU commands (the standard messages a POS terminal uses to talk to a card).
- The malware parses those commands and forwards them to the phone’s NFC subsystem, which is reading the real card.
- The card responds, the phone captures the response, and RelayNFC immediately sends it back to the server, which continues the transaction on its side.
In practice, it is as if the attacker’s POS terminal were connected by an “invisible cable” to the victim’s card, without the victim knowing.
A design built to evade analysis
RelayNFC is not a rushed experiment. Analysts highlight several technical choices that make it harder to detect and study:
- The app is built with React Native, so much of its logic is packed into a single
index.android.bundlefile. - Instead of readable JavaScript, that bundle is compiled to Hermes bytecode, a format that is much harder to inspect with common static analysis tools.
- The malware operates with few visible permissions and components in the Android manifest, which reduces suspicion and helps it slip through superficial checks.
CRIL also identified a related variant that includes a RelayHostApduService class based on Host Card Emulation (HCE). This mechanism allows the phone to emulate a payment card rather than act as a reader, opening the door to new types of relay or fraud scenarios. In the sample analysed, the HCE service wasn’t fully registered, which suggests the feature is still under development and that more sophisticated versions may appear.
Why Brazil… and why this matters globally
In recent years, Brazil has become a testing ground for new financial threats: banking trojans, malware targeting fintech apps and now NFC relay malware. Campaigns such as Ngate, SuperCardX and PhantomCard had already shown growing cybercriminal interest in exploiting contactless payments.
RelayNFC is a step further in that evolution:
- It uses modern development techniques (mobile frameworks, optimised runtimes).
- It directly targets EMV contactless payments, the global standard.
- It takes advantage of behaviours that look normal: holding a card near a phone seems logical if the app presents itself as a security tool.
Although the current campaign focuses on Brazil, the technology and approach are easily exportable to other countries where contactless payments and Android phones are widespread. This is not just a local threat, but a warning signal.
How users can protect themselves
Researchers and security experts recommend several basic but effective measures:
- Install apps only from Google Play or official stores, never from links in SMS, emails or “miracle” security pages.
- Be suspicious of any app that asks you to tap your card against your phone unless it is your bank’s official app or a well-known payment provider.
- Carefully review app permissions: a tool to “check balance” or “secure your card” should not need advanced NFC access without a very clear reason.
- Keep NFC turned off when you’re not actively using it to pay, reducing the attack surface.
- Enable two-factor authentication on banking and financial apps to add a protection layer even if your PIN or card data are compromised.
- Contact your bank immediately and, if necessary, local authorities if you notice suspicious transactions or think you installed a fraudulent app.
What banks and merchants should be doing
For the financial sector, RelayNFC is a wake-up call about an attack vector that was often seen as less likely: real-time relay from the victim’s own smartphone.
Recommended actions include:
- Reinforcing anti-fraud systems specifically for contactless payments, detecting anomalous patterns (location, device type, transaction sequences).
- Improving detection of banking trojans and malicious apps through collaboration with security vendors and threat intelligence providers.
- Prioritising user education campaigns, making it clear that the institution will never ask customers to tap their card on a phone or enter their PIN into an unofficial app.
Frequently Asked Questions
What exactly is RelayNFC?
RelayNFC is an Android malware family identified by Cyble Research and Intelligence Labs that turns the victim’s phone into a remote NFC reader. Through a real-time connection to the attacker’s server, it enables contactless payments to be executed as if the victim’s card were physically present at the criminal’s payment terminal.
How does RelayNFC get onto victims’ phones?
It is distributed mainly via Portuguese-language phishing websites that pose as card security services. From these pages, users are invited to download and install an Android app which is, in reality, the malware.
Are contactless card or mobile payments still safe?
EMV contactless technology remains generally secure, but it is not invulnerable. Attacks like RelayNFC show that if a phone is compromised and the user is tricked, criminals can abuse the NFC channel. Keeping your device free of malware and disabling NFC when not needed are key measures.
How can I protect my card and phone against RelayNFC and other NFC malware?
Some good practices include: installing apps only from official stores, distrusting apps that request you to tap your card on the phone, keeping your system updated, using reputable mobile security solutions, enabling transaction alerts in your banking app and turning off NFC except when making specific payments.
Sources:
Cyble Research and Intelligence Labs (RelayNFC), SecurityOnline, prior research on NFC malware families such as Ngate, SuperCardX and PhantomCard.