Not long ago, a friend of ours, Mike, was walking along the Southbank of the River Thames and came across a street food market. He bought some lunch, tapping to pay on the vendor’s phone. Around half an hour later, as he crossed the Millenium Bridge heading towards the dome of St Paul’s Cathedral, his Android phone buzzed and vibrated in his pocket several times.
When Mike glanced at his device’s screen, he was confused. His mobile wallet was notifying him of 10 successful payments worth $50 each for topping up TikTok advertizements. He hadn’t consciously made any such payment; he didn’t even use TikTok.
What had just happened?
He didn’t know it at the time, but Mike had just fallen victim to an NFC Proxy Malware attack. His device wasn’t infected, but the vendor’s device was.
Mobile payments have never been so seamless or intuitive; transactions are mostly taps these days. Mobile wallets, mobile banking, and SoftPOS solutions are all booming, and NFC Proxy Malware attacks exploit how simple and frictionless payments have become.
Mike got the money refunded to his bank account in the end. But the fact that he has reverted to tapping with a physical card rather than his mobile device is telling. As is his refusal to tap to pay on another mobile device (known as SoftPOS) rather than via a payment dongle. Preventing attacks like this one in the coming months and years is likely to shape how much confidence people have in everyday digital transactions.
What is NFC Proxy Malware?
NFC Proxy Malware manipulates the communication channel between applications capable of performing NFC payments. This could be from an app on the payer’s device and either a payment terminal or another application on the vendor’s device that enables SoftPOS payments. You might think of it as a man-in-the-middle (MitM) attack for the contactless age.
This is how it works:
The payload arrives on a device via a malicious application, perhaps as a result of a successful phishing campaign. It then positions itself between the mobile app and the NFC interface, and when the victim initiates a transaction, the malware is capable of either replaying previously captured transactions (NFC Replay Attack), modifying transaction amounts or merchant data, or redirecting payment flows to fraudulent endpoints, including other mobile devices (NFC Relay Attack).
What makes this attack particularly disconcerting is that the malware turns your smartphone against you in a sense; rerouting transactions after silently impersonating you without your knowledge.
Why is it gaining in popularity?
In short, because of the massive shift to mobile payments in recent years. Obviously there are geographical differences around the world, but by and large NFC plays a huge role in the modern-day payment landscape; whether that’s Apple Pay, Google Pay, other mobile wallets, or SoftPOS solutions that allow people to accept payments on their device.
Crucially though, this NFC technology is used on billions of devices around the world, and not all of those devices are secure. The average end user of a smartphone is unaware that floating around them are unseen threats in the shape of rooted and jailbroken devices, and emulators imitating smartphones from a computer.
Thousands of these attempts are reported every second by our threat and device intelligence solution, Alice. This reality of a murky and untrustworthy mobile channel complicates the picture massively, as it means attackers can target environments where traditional security assumptions simply don’t apply.
Then there are the low barriers to entry for attackers, allied with the potential for quick rewards. Proxy malware frameworks and templates are now sold openly in underground forums, while there’s a great deal of flexibility for attackers to target either unsuspecting individuals who end up with mysterious transactions to their name (like Mike), or wider merchant networks and ecosystems.
Real-world risks
One of the reasons why NFC Proxy Malware attacks have security analysts worried is that many backend systems simply aren’t built to detect the kind of localized interference that define them. From the server’s perspective, bogus transactions that are carried out this way can appear completely normal and above board.
Perhaps the most common type of attack is the NFC Replay Attack, where a captured transaction is resent. In this scenario, the victim rarely notices until later. There’s even a chance they might never notice it if the purchase amount is relatively small and they dismiss the payment notification, assuming it to simply be a notification of their own transaction.
Another scenario is transaction manipulation. Here, the malware alters the payment amount or merchant ID on the fly. Again, the goal here is to potentially carry out the attack without detection.
In SoftPOS environments, wider merchant abuse is a real threat. In theory, entire networks of devices could be exploited to carry out widespread fraud. As this article explains, devices can be used as a kind of cloned card for contactless payments.
What’s at stake?
NFC proxy malware targets the in-device NFC transaction path, intercepting or altering data before it’s bound into the usual payment cryptograms. That means transport-level protections like TLS don’t stop it. And because the manipulation occurs locally on the merchant device, backend fraud systems that depend on network or behavioral signals are much less likely to detect it. If the payment app can’t cryptographically attest its runtime and environment, it has no reliable way to know if the transaction has been tampered with.
These attacks are particularly dangerous because they violate something deeper than technical specifications alone: end user trust. The average end user feels very secure and comfortable using their mobile device for everyday activities, including payments. They trust that a tap means a safe, complete, and authorized transaction. If NFC Proxy Malware – or other similar attacks – continue to gain traction, quietly rerouting payments, then that trust will erode incredibly quickly. And then the entire mobile payment ecosystem could potentially feel the impact.
How to protect against NFC Proxy Malware
Protecting against Proxy Malware requires multiple layers of security. It’s not enough to only think about the protection of sensitive data in transit, but rather the protection of the application and the environment around the device itself.
The following should be seen as core pillars of an effective defensive strategy:
Application Integrity Control is vital to make sure the application hasn’t been tampered with. Anti-repackaging techniques, signature validation, and integrity checks are also crucial in stopping modified or cloned versions of an app from reaching production.
Runtime Application Self Protection (RASP) detects and responds to real-time threats like debuggers, hooking frameworks (Frida, Xposed, Magisk), and code injection or runtime manipulation. This matters because it makes it much harder for malware to observe or modify NFC transaction logic.
Device Attestation can identify whether the app is running on a compromised device. Rooted, jailbroken, or virtualized environments are the most common hosts for proxy malware, so being able to flag suspicious devices is vitally important.
Secure Cryptography and Storage, including white-box cryptography, device binding, and secure key storage all help to make sure that sensitive transactions and operations like transaction signing can’t be observed or modified.
If your app stores any kind of payment tokens, cryptographic material, or transaction logic, then it must be protected against both extraction and tampering.
Trusted Execution ensures that sensitive code runs inside a secure environment (like a virtual Trusted Execution Environment). That way it’s isolated from malware on the device.
The two protection mechanisms above enable the creation of a secure channel between devices, which works to protect against NFC Proxy Malware attacks, much in the same way that TLS helps to prevent classic man-in-the-middle attacks.
Threat Intelligence and Monitoring helps to track and flag emerging malware variants across your user base. It can monitor how apps are being run, what devices they’re running on, and whether expected behavior patterns are being violated. These insights can then be shared with bank and payment platform analysts to help them to respond to threats more effectively.
Finally, Anti-Malware mechanisms are vital in stopping this kind of attack. These include integrated malware and Potentially Harmful App detection capabilities that can check for known malware signatures, alongside heuristic checks which flag indicators of potential interference by malware or PHAs.
In recent years we’ve written frequently on this blog about the emotional and psychological impact of mobile-based attacks on end users.
Pretty much since the mobile phone became a mass-market device and grew rapidly in popularity around 25 years ago, it has become a safe space for people to retreat to. A place people associate with their friends and loved ones.
That’s why any attack that involves the mobile device feels particularly personal.
But NFC Proxy Malware attacks clearly illustrate the glaring disconnect between the importance we place on the device - and how attached we are to it – and how dangerous the environment around it is. Hackers see the phone as a gold mine, and with good reason. It’s our go-to for all of our banking and payment needs, as well as the hub of our social lives. And the more serious organizations get about protecting their mobile applications, the more creative attackers become to get around the defenses.
Mobile channel security is quickly resembling something of an arms race, and this latest weapon is gaining traction fast.
NFC Proxy Malware represents a new, silent threat for the digital age. But by employing a combination of the protection mechanisms above, we can collectively ensure that end users like Mike can carry on using their mobile devices to carry out digital payments with confidence.