Ghost Tapped Turns Android Phones Into Fraud Payment Relays

Cybercriminals have found a new way to drain bank accounts — by turning victims’ Android phones into unwitting payment relays. 

A newly documented attack technique, Ghost Tapped, exploits NFC to enable remote financial fraud without physical access to a victim’s bank card.

“At least $355,000 in illegitimate transactions have been recorded from one POS vendor alone throughout November 2024 – August 2025,” said Group-IB researchers.

Inside the Ghost Tapped NFC Fraud Scheme

Ghost Tapped targets Android devices by abusing near field communication (NFC), the same technology used for contactless payments at stores and ATMs. 

Because the attack leverages legitimate payment workflows, fraudulent transactions can appear normal to banks and payment processors, making detection more difficult.

Initial Infection and Social Engineering

The attack typically begins with social engineering, such as deceptive text messages or phone calls that persuade victims to install malicious APK files disguised as legitimate banking or payment apps. 

Once installed, the app prompts users to tap their physical bank cards against their phones, claiming the action is required for verification or security enrollment.

Instead, the malicious application captures the card’s NFC payment data and sends it to an attacker-controlled command-and-control (C2) server. 

Ghost Tapped operates using a two-component architecture: a reader app on the victim’s device that collects and encrypts payment data, and a tapper app used by criminals. 

When a victim taps their card, the reader app relays the encrypted data through internet-connected servers to the tapper app in near real time.

Fraudulent Transactions at POS Terminals

The tapper app then transmits the payment data to real point-of-sale terminals or ATMs that have been stolen or fraudulently obtained from legitimate payment processors. 

To the terminal, the transaction appears fully legitimate — as if the attacker’s device itself were the victim’s physical bank card — allowing unauthorized payments to proceed without raising immediate suspicion.

Malware Variants and Operational Scale

Group-IB identified more than 54 variants of Ghost Tapped malware circulating between August 2024 and August 2025, with several versions actively sold and promoted through Telegram marketplaces. 

The malicious apps request Android permissions such as android.permission.NFC and android.permission.INTERNET, enabling interaction with NFC hardware and external communication.

After installation, the malware collects device identifiers and authentication data and maintains persistent connections to attacker infrastructure using WebSocket or MQTT protocols. 

Between November 2024 and August 2025, one threat group associated with Ghost Tapped processed at least $355,000 in fraudulent transactions, with thousands of victims reported globally.

Law enforcement agencies have already made arrests related to Ghost Tapped activity in multiple countries, including the United States, Singapore, the Czech Republic, and Malaysia, highlighting both the scale and the international reach of the operation.

How to Reduce NFC Fraud Risk

Organizations can reduce the risk of NFC-based fraud by combining technical controls with user awareness and operational readiness.

• Restrict installation of untrusted applications and enforce mobile device management controls to limit sideloading and unauthorized app behavior.
• Disable or tightly restrict NFC functionality on devices where contactless payments are not required.
• Educate users to treat unsolicited requests to tap payment cards or install apps as suspicious and report them promptly.
• Strengthen transaction monitoring with behavioral analytics, velocity checks, and step-up authentication for high-risk NFC payments.
• Apply least-privilege permissions, OS hardening, and mobile threat detection to prevent abuse of NFC and network capabilities.
• Review, test, and update incident response plans.

These steps help build resilience against attacks like Ghost Tapped and reduce blast radius.

When Digital Attacks Meet Physical Payments

Ghost Tapped illustrates a broader shift in cybercrime toward attacks that bridge digital systems and real-world financial infrastructure. 

Instead of relying solely on traditional software vulnerabilities, attackers are exploiting trusted, everyday technologies such as smartphones and contactless payment mechanisms. 

This approach allows fraudulent activity to blend in with legitimate transactions, making detection and prevention more challenging for both organizations and financial institutions. 

In response, organizations are adopting zero-trust solutions to reduce implicit trust and protect high-risk payment and mobile environments.