Chinese threat actors have developed a dangerous new way to steal money directly from bank accounts using specially crafted Android applications. <\/p>\n
Known as Ghost Tapped, these malicious apps<\/a> exploit Near Field Communication (NFC) technology, the same wireless technology that powers contactless payments. <\/p>\n Instead of needing your physical bank card, criminals can complete transactions from anywhere in the world by simply relaying payment information through their own devices.<\/p>\n The attack works in a surprisingly simple yet effective manner. Victims are targeted through deceptive messages and phone calls, tricked into downloading malicious APK files that look like legitimate banking or payment apps<\/a>. <\/p>\n Once installed, users are asked to tap their bank cards against their phones, believing they are registering the card for security purposes. <\/p>\n Unknown to them, the app captures card data and sends it to a command-and-control server operated by the criminals.<\/p>\n From August 2024 through August 2025, security experts identified over 54 different versions of these malicious applications, with more than half a dozen major variants actively being sold and promoted on Telegram. <\/p>\n Group-IB analysts identified<\/a> that the malware operates through a two-part system: a \u201creader\u201d application installed on the victim\u2019s device that captures payment card information, and a \u201ctapper\u201d application used by criminals to complete unauthorized transactions at stores and ATMs.<\/p>\n Group-IB researchers noted that the malware<\/a> operates by establishing a direct relay between a victim\u2019s payment card and a criminal\u2019s device through internet-connected servers. <\/p>\n When a card is tapped to an infected Android phone running the reader app, the payment data is captured and encrypted. <\/p>\n This data travels through the C2 server<\/a> and reaches the criminal\u2019s tapper application, which then forwards it to real point-of-sale terminals stolen or fraudulently obtained from legitimate payment processors. <\/p>\n To the POS terminal, the transaction appears completely legitimate, as if the criminal\u2019s device itself were a real bank card.<\/p>\n The technical implementation reveals sophisticated engineering. The applications request specific NFC permissions including\u00a0 Upon installation, they collect device identifiers and authentication credentials, sending this information to remote servers using WebSocket or MQTT protocols. <\/p>\n Between November 2024 and August 2025, one associated group processed at least $355,000 in fraudulent transactions using this method. <\/p>\n Thousands of victims globally have already fallen victim to these schemes, with arrests occurring in multiple countries including the United States, Singapore, Czech Republic, and Malaysia, demonstrating the attack\u2019s growing real-world impact.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post New Ghost Tapped Attack Uses Your Android Device to Drain Your Bank Account<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nThe Infection Mechanism and Relay Attack<\/strong><\/h2>\n
![\"TX-NFC](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjcJqLncBzqo9KKfPLnCjAs1ZAKkksK0FzC1p2Dlp3a-PXKUQYos4v0dynXQ6H4qug9HV9j8W_tzUouEzA9YBO6qbAewzbBLtwcLRYrvFK0eaw98bySONQeAZ2K0YiL9nCe4ywl8DF7kqnxtqfYNkfNwuRO6MfVWaatfhUPI2-vYX_WcRdX0wq-7J1QBmE\/s16000\/TX-NFC%2520Pricing%2520information%2520%26%2520feature%2520list%2520%28Source%2520-%2520Group-IB%29.webp?ssl=1\")
android.permission.NFC<\/code>\u00a0and\u00a0android.permission.INTERNET<\/code>\u00a0to function. <\/p>\n