The Rise of Regional NFC Relay Malware: Deep Dive into DevilNFC and NFCMultiPay
Cybersecurity researchers have identified a sophisticated new evolution in mobile banking fraud: the DevilNFC malware family. This threat is distinguished by its aggressive use of Android’s “kiosk mode” to facilitate advanced NFC (Near Field Communication) relay attacks, effectively hijacking a victim’s device to perform unauthorized contactless transactions.
This discovery marks a pivot in the threat landscape. While previous NFC relay campaigns were largely driven by centralized, Chinese-speaking Malware-as-a-Service (MaaS) ecosystems, DevilNFC and its sibling, NFCMultiPay, appear to be the work of localized, independent threat actors. Forensic analysis suggests DevilNFC is operated by Spanish-speaking groups, whereas NFCMultiPay shows clear linguistic indicators of Brazilian Portuguese origin. This shift suggests that regional cybercriminal syndicates are moving away from renting tools and are instead developing proprietary, specialized malware.
According to intelligence from Cleafy Labs, these families are increasingly targeting banking customers throughout Europe and Latin America.

Technical Architecture: The Dual-Purpose APK
DevilNFC utilizes a highly efficient architecture: a single Android application package (APK) that changes its functional logic based on the host environment. On a standard, unrooted victim device, the app operates as a passive NFC reader. However, when deployed on a rooted attacker device, it utilizes a hooking framework to intercept system-level communications, transforming the device into a card emulator. By bypassing standard Android APIs, the malware can communicate directly with the hardware to facilitate the relay.
The infection vector typically follows a classic social engineering pattern. Victims receive phishing lures via SMS or WhatsApp, impersonating urgent banking security alerts. These messages direct users to a fraudulent landing page designed to mimic the Google Play Store, tricking them into installing the malicious APK under the guise of a necessary “security update.”

The Kiosk Mode Trap and Data Exfiltration
Once the application is executed, it immediately triggers Android’s kiosk mode. This is a critical component of the attack, as it locks the user into a full-screen, persistent interface that overrides navigation controls and disables the “back” button. The victim is effectively trapped within a spoofed banking interface.
While the user is preoccupied with the fake interface, the malware executes several high-impact processes in the background:
- NFC Relay: The victim is prompted to tap their physical payment card to “verify” their identity. The malware captures the NFC data and relays it to the attacker.
- SMS Interception: The malware monitors incoming SMS traffic to intercept One-Time Passwords (OTPs) sent by financial institutions.
- Real-time Exfiltration: Credentials, PINs, and card data are transmitted to attacker-controlled Command and Control (C2) servers and Telegram channels.
Technically, the APDU (Application Protocol Data Unit) relay is maintained via a persistent raw TCP socket, utilizing Google Protocol Buffers for efficient binary serialization. To maximize the window for transaction completion, the malware often displays a fake error message, instructing the victim to “hold the card longer.
NFCMultiPay: A Lightweight Alternative
In contrast to the system-level complexity of DevilNFC, the NFCMultiPay family adopts a more streamlined, Java-based approach. It does not require root access or native libraries, making it easier to deploy across a wider range of devices. While it does not use kiosk mode to lock the device, it relies heavily on continuous social engineering to keep the victim engaged with the spoofed interface.
A significant technical upgrade in NFCMultiPay is its communication protocol. While earlier versions relied on REST polling, the current iteration uses event-driven MQTT over TCP port 1883. This significantly reduces latency, allowing for near-instantaneous relaying of data between the victim and the attacker.
The Role of Generative AI in Malware Evolution
A concerning trend observed by researchers is the evidence of AI-assisted development. DevilNFC features highly structured, logically complex phishing templates, while NFCMultiPay exhibits logging formats that mirror the output of Large Language Models (LLMs). This suggests that generative AI, combined with open-source frameworks like NFCGate, is significantly lowering the barrier to entry for sophisticated mobile fraud.
Indicators of Compromise (IOCs)
| Type | Value | Description |
|---|---|---|
| Domain | nfcrackatm[.]com | DevilNFC C2 / Relay Server |
| Domain | spicynagets[.]shop | DevilNFC C2 / Relay Server |
| IPv4 | 185.203.116[.]18 | NFCMultiPay C2 |
| IPv4 | 47.253.167[.]219 | NFCMultiPay C2 |
| MD5 | caa5e8cf3275339d251210072ebe88c2 | DevilNFC Apk Sample |
| MD5 | 35dd9c3a56e88a39bf6c8fdad46b0398 | NFCMultiPay Apk Sample |
| MD5 | 9d19527aeb4cabfb40bbaea6d73b5ff0 | NFCMultiPay Apk Sample |
| Package Name | com.devilnfc.reader | DevilNFC APK Package Name |
Note: IP addresses and domains have been defanged (e.g., [.]) to prevent accidental resolution. Please re-fang these indicators only within controlled threat intelligence environments such as MISP, VirusTotal, or your SIEM.