Ghost Tapped: The New Android Malware Draining Bank Accounts via NFC Exploits
In a concerning development, cybersecurity experts have identified a sophisticated malware campaign dubbed Ghost Tapped, orchestrated by Chinese threat actors. This campaign leverages Near Field Communication (NFC) technology to illicitly access and drain victims’ bank accounts through compromised Android devices.
Modus Operandi
The attack initiates with social engineering tactics, where victims receive deceptive messages or phone calls urging them to download malicious Android Package (APK) files. These files masquerade as legitimate banking or payment applications, luring users into a false sense of security.
Once the malicious app is installed, it prompts users to tap their bank cards against their smartphones, ostensibly for security verification or registration purposes. Unbeknownst to the user, the app captures the card’s data and transmits it to a command-and-control (C2) server controlled by the attackers.
Technical Breakdown
The Ghost Tapped malware operates through a dual-component system:
1. Reader Application: Installed on the victim’s device, this component captures payment card information when the card is tapped against the device.
2. Tapper Application: Utilized by the attackers, this component receives the relayed card data and uses it to perform unauthorized transactions at point-of-sale (POS) terminals.
The malware requests specific NFC permissions, such as `android.permission.NFC` and `android.permission.INTERNET`, to function effectively. Upon installation, it collects device identifiers and authentication credentials, transmitting this information to remote servers using protocols like WebSocket or MQTT.
Relay Attack Mechanism
The attack employs a relay mechanism to facilitate fraudulent transactions:
1. Data Capture: When a victim taps their card to the infected device, the reader app captures and encrypts the payment data.
2. Data Transmission: This encrypted data is sent through the C2 server to the attacker’s tapper application.
3. Transaction Execution: The tapper app forwards the data to a real POS terminal, which processes the transaction as if it were initiated by a legitimate bank card.
This method effectively bypasses traditional security measures, as the POS terminal perceives the transaction as authentic.
Scope and Impact
Between August 2024 and August 2025, security analysts identified over 54 distinct versions of these malicious applications, with more than half a dozen major variants actively promoted on platforms like Telegram. One group associated with this campaign processed at least $355,000 in fraudulent transactions during this period.
The global reach of this attack is evident, with thousands of victims reported worldwide. Law enforcement agencies have made arrests in multiple countries, including the United States, Singapore, the Czech Republic, and Malaysia, highlighting the widespread impact and international nature of this cyber threat.
Preventive Measures
To safeguard against such sophisticated attacks, users are advised to:
– Exercise Caution: Avoid downloading applications from untrusted sources or links received via unsolicited messages.
– Verify App Authenticity: Only install apps from official app stores and verify the developer’s credentials.
– Monitor Permissions: Be vigilant about the permissions requested by apps, especially those seeking access to NFC functionality.
– Regular Updates: Keep your device’s operating system and applications updated to benefit from the latest security patches.
– Use Security Software: Install reputable mobile security solutions to detect and prevent malware infections.
By adopting these practices, users can significantly reduce the risk of falling victim to such advanced cyber threats.
