In a disturbing trend, cybercriminals, predominantly from Chinese underground networks, are exploiting Near Field Communication (NFC) technology to perpetrate large-scale fraud at ATMs and Point-of-Sale (POS) terminals.
According to cyber threat intelligence analysts at Resecurity, numerous banks, FinTech companies, and credit unions have reported a surge in NFC-related fraud in Q1 2025, with damages exceeding millions of dollars for a top Fortune 100 financial institution in the United States.
These attackers demonstrate remarkable adaptability, crafting sophisticated tools to manipulate NFC systems for unauthorized transactions, targeting regions including the U.S., UK, EU, Australia, Canada, Japan, and the UAE.
.png
)
The global nature of their operations, often backed by organized crime syndicates with suspected state tolerance in China, poses significant challenges to detection and mitigation due to geopolitical and technical barriers.
Sophisticated Tools and Techniques Unveiled
The mechanics of NFC fraud involve exploiting Host Card Emulation (HCE), a technology that allows Android devices to mimic ISO 14443 NFC smart cards via services like HostApduService, enabling communication with payment terminals through Application Protocol Data Unit (APDU) commands.
Tools like “Z-NFC” and “Track2NFC,” often sold on the Dark Web and Telegram channels, facilitate this by emulating card data or relaying stolen payment information from victims’ mobile wallets, such as Google Pay or Apple Pay, to perpetrators’ devices at ATMs or POS terminals.
Techniques like “Ghost Tap” allow fraudsters to execute transactions without triggering merchant payment processors, while apps like “HCE Bridge” simulate various contactless payment kernels for malicious use.
Resecurity’s reverse engineering of Z-NFC revealed a heavily obfuscated Android APK (package name: com.hk.nfc.paypay) that uses native libraries and runtime decryption to evade static analysis, underscoring the technical sophistication of these attacks.
Additionally, cybercriminals operate “farms” of mobile devices to automate fraud at scale, targeting institutions like Barclays, HSBC, and Santander, and even exploiting loyalty points programs for unauthorized redemptions.
Further amplifying the threat, NFC-enabled POS terminals are abused or illicitly registered via money mules, enabling fraud and money laundering across countries like China, Malaysia, and Nigeria.
Attackers also leverage stolen Track 2 data from ATM skimmers, recorded onto blank cards, to conduct transactions at compromised terminals, often bypassing Cardholder Verification Methods (CVM) for low-value contactless payments.
The rapid adoption of NFC technology, with 1.9 billion enabled devices worldwide, combined with the anonymity of encrypted communication and e-SIM contracts, makes these operations elusive.
As NFC continues to underpin contactless payments and identity verification globally, the urgent need for robust security protocols, advanced fraud detection, and international cooperation becomes evident to curb this escalating cyber threat.
Indicators of Compromise (IOC)
| Indicator | Description |
|---|---|
| Package Name | com.hk.nfc.paypay |
| App Name | Often disguised as utility/NFC tool |
| Native Libraries | libjiagu.so, libjgdtc.so |
| Path | /data/data/<pkg>/.jiagu/libjiagu_64.so |
| Class | com.stub.StubApp |
| Suspicious String | “entryRunApplication” – real app class |
| Permissions | NFC, Camera, Internet, Storage access |
| URL | https://znfcqwe.top |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
.){kind=link}