A the number of NFC-based attacks on Android smartphones aimed at stealing victims’ funds has surged by 188 % in the first four months of 2026, compared with the same period in 2025.
SMARTPHONES
Kaspersky reveals NFC relay attacks on smartphones surged by 188 % in 2026
ccording to Kaspersky telemetry,
A the number of NFC-based attacks on Android smartphones aimed at stealing victims’ funds has surged by 188 % in the first four months of 2026, compared with the same period in 2025.
From January to April 2026, Kaspersky cybersecurity solutions blocked 35,600 attacks of different Android malware families that use NFC techniques, including SuperCard X, PhantomCard, NGate, as well as other malicious modifications of the NFCGate tool, compared to more than 12,300 attacks blocked during the first four months of 2025.
According to Kaspersky, users in Russia face NFC relay mobile threats more often, nevertheless Kaspersky experts note that users in other regions, especially in Latin America and Europe, also encounter NFCbased attacks. At the end of 2025, Kaspersky predicted an increase in the number of attacks on NFC payments in 2026.
The danger of a newer, more sophisticated scheme is that this type of fraud is harder to detect and fight against, because victims themselves transfer money to the attackers’ accounts and such transactions are hard to distinguish from legitimate ones.
At the moment, there are two main schemes of NFC-based attacks:
Direct NFC
Fraudsters contact victims via messaging apps and, under the guise of verifying users’ identity, trick them into downloading malware that is disguised, for example, as a financial application. Victims are then prompted to tap their bank card to an infected smartphone, as well as enter the card PIN. As a result, the card data is handed over to the attackers.
Reverse NFC
Scammers send users a malicious application and, using social engineering techniques, persuade them to set this application as a primary contactless payment method on their compromised smartphones. Such an application generates an NFC signal that ATMs recognise as the scammers’ card. Victims are then persuaded to go to an ATM and deposit funds into a‘ secure account’ using their infected phone. In reality, the scammers receive the victims’ money.
“ While previously attackers relied on‘ direct NFC’ scheme, now the‘ reverse NFC’ appears more common,” said Sergey Golovanov, Chief Security Expert, Kaspersky.“ The danger of a newer, more sophisticated scheme is that this type of fraud is harder to detect and fight against, because victims themselves transfer money to the attackers’ accounts and such transactions are hard to distinguish from legitimate ones. We do not rule out that NFC relay malware itself continues to evolve and geography of attacks will expand. That’ s why this threat should be further closely monitored.”
“ The first publicly reported attacks that used a modified legitimate NFC tool occurred in late 2023. Those attacks were primarily detected in Europe. Then users from Russia and other regions faced similar mobile malware attacks. Later it became known that cybercriminals packaged NFC relay malware into Malwareas-a-Service( MaaS) offerings, potentially simplifying access to malicious tools for other attackers. NFC relay campaigns demonstrate how threat actors adapt and reuse new methods to steal users’ funds,” added Dmitry Kalinin, Cybersecurity Expert, Kaspersky.
28 WWW. INTELLIGENTCISO. COM