There has been an 188% surge in the number of NFC-based attacks on Android smartphones in the first four months of 2026 compared to the same period last year, according to Kaspersky telemetry.
From January to April this year, Kaspersky cybersecurity solutions blocked 35 600 attacks of different Android malware families that use NFC techniques – including SuperCard X, PhantomCard, NGate, as well as other malicious modifications of NFCGate tool, compared to over 12 300 attacks blocked during the first four months in 2025.
According to Kaspersky, users in Russia face NFC relay mobile threats more often, nevertheless Kaspersky experts note that users in other regions – especially in Latin America and Europe – also encounter NFC-based attacks. At the end of 2025, Kaspersky predicted an increase in the number of attacks on NFC payments in 2026.
At the moment, there are two main schemes of NFC-based attacks:
Direct NFC. Fraudsters contact victims via messaging apps and, under the guise of verifying users’ identity, trick them into downloading malware that is disguised, for example, as a financial application. Victims are then prompted to tap their bank card to an infected smartphone as well as to enter the card PIN. As a result, the card data is handed over to the attackers.
Reverse NFC. Scammers send users a malicious application and, using social engineering techniques, persuade them to set this application as a primary contactless payment method on their compromised smartphones. Such an application generates an NFC signal that ATMs recognise as the scammers’ card. Victims are then persuaded to go to an ATM and deposit funds into a “secure account” using their infected phone. In reality, the scammers receive the victims’ money.
“While previously, attackers relied on ‘direct NFC’ scheme, now the ‘reverse NFC’ appears more common,” says Sergey Golovanov, chief security expert at Kaspersky. “The danger of a newer, more sophisticated scheme is that this type of fraud is harder to detect and fight against because victims themselves transfer money to the attackers’ accounts and such transactions are hard to distinguish from legitimate ones. We do not rule out that NFC relay malware itself continues to evolve and that the geography of attacks will expand. That’s why this threat should be further closely monitored.”
Dmitry Kalinin, cybersecurity expert at Kaspersky, adds: “The first publicly reported attacks that used a modified legitimate NFC tool occurred in late 2023. Those attacks were primarily detected in Europe. Then users from Russia and other regions faced similar mobile malware attacks. Later it became known that cybercriminals packaged NFC relay malware into a malware-as-a-service (MaaS) offering, potentially simplifying access to malicious tools for other attackers.
“NFC relay campaigns demonstrate how threat actors adapt and reuse new methods to steal users’ funds,” he says.