From January to April 2026, Kaspersky blocked 35,600 Android malware attacks using NFC technology, nearly three times the 12,300 attacks recorded during the same period in 2025. These threats include SuperCard X, PhantomCard, NGate, and malicious NFCGate variants. While Russia remains the most affected country, NFC-based attacks are also increasing across Latin America and Europe. Kaspersky identifies two main attack methods: Direct NFC, where victims are tricked into sharing card data by tapping their bank card to an infected device, and Reverse NFC, where victims unknowingly transfer money to scammers through compromised smartphones used at ATMs, a press release said.
“While previously attackers relied on ‘direct NFC’ scheme, now the ‘reverse NFC’ appears more common,” comments Sergey Golovanov, chief security expert at Kaspersky. “The danger of a newer, more sophisticated scheme is that this type of fraud is harder to detect and fight against, because victims themselves transfer money to the attackers’ accounts and such transactions are hard to distinguish from legitimate ones. We do not rule out that NFC relay malware itself continue to evolve and geography of attacks will expand. That’s why this threat should be further closely monitored.”
“The first publicly reported attacks that used a modified legitimate NFC tool occurred in late 2023. Those attacks were primarily detected in Europe. Then users from Russia and other regions faced similar mobile malware attacks. Later it became known that cybercriminals packaged NFC relay malware into malware-as-a-service (MaaS) offering, potentially simplifying access to malicious tools for other attackers. NFC relay campaigns demonstrate how threat actors adapt and reuse new methods to steal users’ funds,” added Dmitry Kalinin, cybersecurity expert at Kaspersky.
For protection against NFC relay attacks and other mobile threats, users should only download apps from official sources and avoid installing applications received through messages, social media, SMS, or phone calls. They should never follow instructions from strangers at ATMs and should use reliable mobile security software to block phishing attempts and prevent malware installation.
