According to Kaspersky telemetry, the number of NFC-based attacks on Android smartphones aimed at stealing victims’ funds have surged by 188% in the first four months of 2026, compared with the same period in 2025.
From January to April 2026, Kaspersky cybersecurity solutions blocked 35,600 attacks of different Android malware families that use NFC techniques, including SuperCard X, PhantomCard, NGate, as well as other malicious modifications of NFCGate tool, compared to over 12,300 attacks blocked during the first four months in 2025. According to Kaspersky, users in Russia face NFC relay mobile threats more often, nevertheless Kaspersky experts note that users in other regions — especially in Latin America and Europe — also encounter NFC-based attacks. At the end of 2025, Kaspersky predicted an increase in the number of attacks on NFC payments in 2026.
At the moment, there are two main schemes of NFC-based attacks:
Direct NFC. Fraudsters contact victims via messaging apps and, under the guise of verifying users’ identity, trick them into downloading malware that is disguised, for example, as a financial application. Victims are then prompted to tap their bank card to an infected smartphone, as well as to enter the card PIN. As a result, the card data is handed over to the attackers.
Reverse NFC. Scammers send users a malicious application and, using social engineering techniques, persuade them to set this application as a primary contactless payment method on their compromised smartphones. Such application generates an NFC signal that ATMs recognise as the scammers’ card. Victims are then persuaded to go to an ATM and deposit funds into a ‘secure account’ using their infected phone. In reality, the scammers receive the victims’ money.
“While previously attackers relied on ‘direct NFC’ scheme, now the ‘reverse NFC’ appears more common,” comments Sergey Golovanov, chief security expert at Kaspersky. “The danger of a newer, more sophisticated scheme is that this type of fraud is harder to detect and fight against, because victims themselves transfer money to the attackers’ accounts and such transactions are hard to distinguish from legitimate ones. We do not rule out that NFC relay malware itself continues to evolve and geography of attacks will expand. That's why this threat should be further closely monitored.”
“The first publicly reported attacks that used a modified legitimate NFC tool occurred in late 2023. Those attacks were primarily detected in Europe. Then users from Russia and other regions faced similar mobile malware attacks. Later it became known that cybercriminals packaged NFC relay malware into malware-as-a-service (MaaS) offering, potentially simplifying access to malicious tools for other attackers. NFC relay campaigns demonstrate how threat actors adapt and reuse new methods to steal users’ funds,” added Dmitry Kalinin, cybersecurity expert at Kaspersky.
To protect against NFC relay attacks and other mobile threats, Kaspersky recommends:
- Avoid installing apps from unofficial sources. This includes links sent via messaging apps, social media, SMS, or recommended during a phone call.
- Never follow instructions from strangers at an ATM — no matter who they claim to be.
- Use a comprehensive security solution on your Android smartphones to prevent visits to phishing sites from web browsers and messengers, and stop malware installation.
