A new Android malware named DevilNFC has surfaced, combining Near Field Communication (NFC) relay attacks with a deceptive Kiosk Mode to trap users within counterfeit banking interfaces. This sophisticated threat primarily targets individuals in Europe and Latin America.
Unlike previous malware strains, DevilNFC is entirely original, developed independently without relying on existing codebases or shared infrastructures. The attack initiates through phishing messages sent via SMS or WhatsApp, directing victims to a fraudulent webpage mimicking the Google Play Store. Here, users are prompted to download a malicious application disguised as a mandatory security update from a legitimate Spanish-language bank.
Upon installation, the malware immediately activates, seizing control of the device. It employs Android’s Kiosk Mode to lock the screen, displaying a fake banking interface fetched from a remote server. This mode disables the system UI and hardware back button, effectively trapping the user within the malicious screen while the NFC relay attack is executed.
Security analysts at Cleafy have identified DevilNFC as the more advanced of two newly discovered NFC relay malware families, the other being NFCMultiPay. Both are actively conducting attacks against banking customers, marking a significant evolution in the NFC relay threat landscape. Notably, these malware families exhibit development patterns indicative of generative AI-assisted tooling, suggesting that threat actors are leveraging uncensored AI models and publicly available malware codebases to streamline the creation of functional Android malware.
Once the victim opens the malicious app, DevilNFC activates Kiosk Mode to conceal the system UI and override the hardware back button, effectively trapping the user within the fraudulent interface. A fake verification prompt, rendered remotely from a command-and-control template, then requests the user to enter their four-digit card PIN after the initial card tap. This PIN is exfiltrated to two destinations simultaneously: a dedicated command-and-control endpoint and the attacker’s private Telegram channel, transmitted in plaintext alongside the bank name and victim’s public IP address.
As reported by Cyber Security News, the emergence of DevilNFC underscores the increasing sophistication of mobile malware and the critical need for users to exercise caution when receiving unsolicited messages or prompts to install applications. Ensuring that apps are downloaded exclusively from official and verified sources is paramount in mitigating such threats.
The development of DevilNFC highlights a concerning trend in mobile malware evolution, where attackers are employing advanced techniques to deceive users and extract sensitive information. This serves as a stark reminder of the importance of maintaining robust cybersecurity practices, including vigilance against phishing attempts and the exclusive use of trusted app sources.
Source: Cyber Security News
