At least $355,000 in illicit contactless transactions have already been linked to a single point-of-sale vendor, underlining how quickly ‘ghost payments’ – NFC relay fraud – has moved from proof-of-concept to a repeatable cash-out model
A new wave of NFC-enabled Android malware is allowing cybercriminals to carry out what look like legitimate in-person card payments without the cardholder ever being present, according to new research findings.
Researchers at Group-IB say Chinese threat actors are actively developing and selling Android applications which exploit near-field communication (NFC) to relay payment data remotely. The technique, often referred to by researchers as “ghost payments” or “Ghost Tap”, enables criminals to complete unauthorised transactions that pass through payment systems as card-present taps.
Unlike traditional card-not-present fraud, where compromised card details are used online, ghost payments blur the boundary between physical and digital crime. Transactions are initiated at real point-of-sale terminals, but the card itself may be hundreds or thousands of miles away.
How ghost payments work
According to Group-IB, the fraud typically relies on two coordinated applications. A ‘reader’ app is installed on a victim’s Android device or a mule phone loaded with compromised cards, allowing it to interact with a bank card or mobile wallet via NFC. A second ‘tapper’ app runs on the criminal’s device and communicates with a point-of-sale terminal.
NFC data is relayed between the two through a command-and-control server, enabling the attacker to complete transactions remotely as if the card were physically present. From the perspective of issuers and networks, the payment looks indistinguishable from a normal contactless tap.
Victims are often drawn in through smishing or vishing campaigns and persuaded to sideload an APK and tap their card against their phone under the guise of account verification or security checks. In other cases, fraudsters bypass victims entirely, instead relying on mule networks using mobile wallets pre-loaded with compromised cards to make in-store purchases across multiple countries.
An industrialised fraud supply chain
What distinguishes this wave from earlier NFC relay attacks is its level of organisation. Group-IB says it has identified more than 54 malicious APK variants, many masquerading as legitimate banking or financial apps, promoted and sold in Chinese-language cybercrime channels on Telegram.
The underground ecosystem extends beyond software. Illicitly acquired POS terminals are openly advertised alongside the malware, with some vendors offering bundled access to both tools and hardware. From November 2024 to August 2025, researchers recorded at least $355,000 in fraudulent transactions linked to a single POS vendor alone.
A familiar idea, scaled up
NFC relay attacks are not new. Academic researchers demonstrated proof-of-concept attacks on contactless cards more than a decade ago, and early criminal attempts surfaced intermittently in the late 2010s. What has changed is scale and accessibility.
Earlier attacks required specialised hardware and technical expertise. Today’s ghost-payment tools are packaged as consumer-grade Android apps, complete with user support, regular updates and affiliate sales models. From August 2024 through August 2025 alone, the cybersecurity community documented a succession of variants, including NGate, ZNFC, SuperCard X and PhantomCard.
The rise of contactless payments has provided fertile ground. Since the pandemic, tap-to-pay limits have risen across many markets, and consumers have grown accustomed to frictionless in-store payments. At the same time, Android’s openness, particularly around APK sideloading, has made it easier for malware to masquerade as legitimate financial software.