Massive Android Trojan Campaign Targets European Users

Cybersecurity researchers have identified a massive surge in an Android banking trojan that uses Near Field Communication (NFC) relay attacks to steal money directly from Europeans’ credit cards. The campaign, detailed by analysts at Cybereason, leverages a new version of a malware strain that has been active since at least 2023. The trojan is distributed through phishing campaigns and malicious applications, sometimes found on the Google Play Store, masquerading as legitimate tools.

Once installed on a victim’s device, the malware requests access to Android’s Accessibility Services. This powerful permission allows the trojan to grant itself additional permissions without user interaction, read notifications, perform screen taps, and prevent its own uninstallation. The malware specifically targets users in European countries by checking the device’s language and mobile country code.

How the NFC Relay Attack Steals Funds

The core of the attack is its NFC relay module. The process begins when the threat actor initiates a transaction on a physical point-of-sale (PoS) terminal using a compromised card number. The malware on the victim’s phone then intercepts the NFC communication request from the PoS machine. To complete the transaction, the malware displays a deceptive notification on the victim’s screen, urging them to verify their identity or cancel a fictitious transaction by tapping their credit card on the back of their phone.

When the victim complies and holds their physical credit card to their phone, the device acts as a relay. It captures the card’s NFC data and transmits it to the attacker’s device, which then forwards it to the physical PoS terminal. This action approves the fraudulent transaction, effectively using the victim’s own phone and card to steal their money in real time.