Researches identify surge in tap-to-pay android malware

Cybersecurity researchers have uncovered a new wave of Android malware that lets criminals make tap-to-pay purchases without ever holding the victim’s bank card. In simple terms, scammers trick people into installing a fake “payment” or “banking” app and then persuade them to tap their card on their phone. The app secretly reads the card’s contactless (NFC) data and sends it to the criminals, who complete purchases using their own devices and illicit point-of-sale terminals, making the transactions look like genuine in-person payments. This activity is being marketed in online crime forums, with dozens of malicious Android apps disguised as legitimate financial tools and sold via subscription, complete with customer support and “success” screenshots to entice buyers. Reported cases span multiple countries, and detections have steadily increased since mid-2024, suggesting the technique is spreading across fraud networks rather than disappearing.

The scam typically uses two coordinated apps. The first is a “reader” installed on the victim’s phone that captures the card’s NFC data when the victim taps their card. The second is a “tapper” used on the criminal’s device to spend the stolen details or cash out. In some campaigns, attackers skip direct contact with victims entirely by preloading compromised cards into mobile wallets and sending “money mules” to make purchases in physical stores. The initial lure often arrives by text or phone—known as smishing and vishing—impersonating trusted brands or banks and urging the victim to “verify” their account or install a security app. The goal is to get the victim to install the malware and tap their card on cue.

For the public, the most effective defence starts with recognizing and reporting suspicious messages. NCSC’s guidance is straightforward: if a text or call seems off, don’t click links, don’t download apps from the message, and don’t share personal or banking details. Instead, report suspicious emails to report@phishing.gov.uk and forward suspicious texts to 7726, which alerts your mobile provider and helps take down scams. If you think you’ve entered banking details, contact your bank immediately; if you installed software from a suspicious message, run an antivirus scan and follow steps to recover an infected device. These simple actions help protect you and others and have already led to the removal of hundreds of thousands of scams across hundreds of thousands of URLs.

It also pays to lock down your phone. NCSC advises keeping your device and apps up to date, using a strong PIN or password (or biometrics), and installing a minimal number of apps—ideally only from official stores—because sideloaded or “unknown source” apps are a common route for malware. For work devices, organizations should centrally manage Android phones, enforce policies through Mobile Device Management (MDM), and approve apps via a managed catalogue. These measures reduce the chance that fake payment apps can be installed and make it easier to detect unusual behaviour on devices.

If you receive a message claiming to be from your bank or a payment provider asking you to install an app or “verify” your card by tapping it on your phone, treat it as suspicious. Genuine providers won’t ask you to install an app via a text link or to “scan” your card into an app you’ve just downloaded from a message. Go directly to the official app store or the bank’s website to check any requests, and contact the organization using verified contact details, not the numbers

or links in the message. If you’ve already responded to a suspicious message, NCSC’s step-by-step advice covers changing reused passwords, scanning your device, and reporting the incident so authorities can act quickly.

For banks, card issuers, and merchants, raising customer awareness about smishing and vishing is essential, but it’s only one layer. Strengthen fraud monitoring for patterns that betray these schemes—for example, rapid card enrolments into mobile wallets or bursts of transactions occurring in quick succession across widely separated locations—and tighten merchant vetting, especially for POS terminals, to make it harder for criminals to cash out. Align your mobile security posture with NCSC’s Android guidance by enforcing updates, restricting app sources, logging and monitoring devices, and using managed app catalogues rather than allowing unvetted installations. These steps help detect malicious apps and abnormal device behaviour early, reducing both the scale and the success rate of tap-to-pay fraud.

Staying sceptical of unexpected messages, reporting them promptly, and keeping devices locked down are the most effective first lines of defence for the public. For organizations, combining customer education with robust device management and fraud analytics—guided by NCSC’s recommendations—will markedly improve resilience against this fast-moving threat.