The Rise of Regional NFC Relay Malware: Deep Dive into DevilNFC and NFCMultiPay

Cybersecurity researchers have identified a sophisticated new evolution in mobile banking fraud: the DevilNFC malware family. This threat is distinguished by its aggressive use of Android’s “kiosk mode” to facilitate advanced NFC (Near Field Communication) relay attacks, effectively hijacking a victim’s device to perform unauthorized contactless transactions.

This discovery marks a pivot in the threat landscape. While previous NFC relay campaigns were largely driven by centralized, Chinese-speaking Malware-as-a-Service (MaaS) ecosystems, DevilNFC and its sibling, NFCMultiPay, appear to be the work of localized, independent threat actors. Forensic analysis suggests DevilNFC is operated by Spanish-speaking groups, whereas NFCMultiPay shows clear linguistic indicators of Brazilian Portuguese origin. This shift suggests that regional cybercriminal syndicates are moving away from renting tools and are instead developing proprietary, specialized malware.

According to intelligence from Cleafy Labs, these families are increasingly targeting banking customers throughout Europe and Latin America.

Notable NFC Relay Malware Families Observed Over the Past Year (Source : Cleafy).
Notable NFC Relay Malware Families Observed Over the Past Year (Source: Cleafy).

Technical Architecture: The Dual-Purpose APK

DevilNFC utilizes a highly efficient architecture: a single Android application package (APK) that changes its functional logic based on the host environment. On a standard, unrooted victim device, the app operates as a passive NFC reader. However, when deployed on a rooted attacker device, it utilizes a hooking framework to intercept system-level communications, transforming the device into a card emulator. By bypassing standard Android APIs, the malware can communicate directly with the hardware to facilitate the relay.

The infection vector typically follows a classic social engineering pattern. Victims receive phishing lures via SMS or WhatsApp, impersonating urgent banking security alerts. These messages direct users to a fraudulent landing page designed to mimic the Google Play Store, tricking them into installing the malicious APK under the guise of a necessary “security update.”

Phishing messages & OTPs / Whatsapp Delivery / Malware Download (Source : Cleafy).
Phishing messages & OTPs / WhatsApp Delivery / Malware Download (Source: Cleafy).

The Kiosk Mode Trap and Data Exfiltration

Once the application is executed, it immediately triggers Android’s kiosk mode. This is a critical component of the attack, as it locks the user into a full-screen, persistent interface that overrides navigation controls and disables the “back” button. The victim is effectively trapped within a spoofed banking interface.

While the user is preoccupied with the fake interface, the malware executes several high-impact processes in the background:

  • NFC Relay: The victim is prompted to tap their physical payment card to “verify” their identity. The malware captures the NFC data and relays it to the attacker.
  • SMS Interception: The malware monitors incoming SMS traffic to intercept One-Time Passwords (OTPs) sent by financial institutions.
  • Real-time Exfiltration: Credentials, PINs, and card data are transmitted to attacker-controlled Command and Control (C2) servers and Telegram channels.

Technically, the APDU (Application Protocol Data Unit) relay is maintained via a persistent raw TCP socket, utilizing Google Protocol Buffers for efficient binary serialization. To maximize the window for transaction completion, the malware often displays a fake error message, instructing the victim to “hold the card longer.

NFCMultiPay: A Lightweight Alternative

In contrast to the system-level complexity of DevilNFC, the NFCMultiPay family adopts a more streamlined, Java-based approach. It does not require root access or native libraries, making it easier to deploy across a wider range of devices. While it does not use kiosk mode to lock the device, it relies heavily on continuous social engineering to keep the victim engaged with the spoofed interface.

A significant technical upgrade in NFCMultiPay is its communication protocol. While earlier versions relied on REST polling, the current iteration uses event-driven MQTT over TCP port 1883. This significantly reduces latency, allowing for near-instantaneous relaying of data between the victim and the attacker.

The Role of Generative AI in Malware Evolution

A concerning trend observed by researchers is the evidence of AI-assisted development. DevilNFC features highly structured, logically complex phishing templates, while NFCMultiPay exhibits logging formats that mirror the output of Large Language Models (LLMs). This suggests that generative AI, combined with open-source frameworks like NFCGate, is significantly lowering the barrier to entry for sophisticated mobile fraud.

Indicators of Compromise (IOCs)

Type Value Description
Domain nfcrackatm[.]com DevilNFC C2 / Relay Server
Domain spicynagets[.]shop DevilNFC C2 / Relay Server
IPv4 185.203.116[.]18 NFCMultiPay C2
IPv4 47.253.167[.]219 NFCMultiPay C2
MD5 caa5e8cf3275339d251210072ebe88c2 DevilNFC Apk Sample
MD5 35dd9c3a56e88a39bf6c8fdad46b0398 NFCMultiPay Apk Sample
MD5 9d19527aeb4cabfb40bbaea6d73b5ff0 NFCMultiPay Apk Sample
Package Name com.devilnfc.reader DevilNFC APK Package Name

Note: IP addresses and domains have been defanged (e.g., [.]) to prevent accidental resolution. Please re-fang these indicators only within controlled threat intelligence environments such as MISP, VirusTotal, or your SIEM.

Related Articles

Back to top button