Cybercriminals are aggressively ramping up their attacks on Android users. According to data released by cybersecurity firm Kaspersky, near-field communication (NFC) scam attacks surged by a staggering 188% during the first four months of 2026. Between January and April 2026, Kaspersky blocked approximately 35,600 attacks linked to Android malware. In contrast, the firm detected and blocked just 12,300 similar attacks during the same period last year. However, looking closely at the technical reality behind these threats reveals a specific mechanism. Hackers are not breaking the NFC protocol itself. Instead, they are deploying “Tap-and-Steal” NFC relay malware that exploits Android’s Host Card Emulation (HCE). They manipulate users and abuse device-level permissions to steal payment data and conduct fraudulent transactions.
How the NFC Relay Malware Actually Works
Attackers rely heavily on social engineering to launch this exploit. First, they trick victims into installing malware disguised as legitimate banking, payment, or government applications. Once installed, the malicious app prompts the user to set it as the default NFC payment method.
Subsequently, background services silently take control. When the victim uses their phone, the malware forwards the payment terminal’s request to an attacker-controlled server. The server then sends a crafted response back to the terminal. Ultimately, this relay allows hackers to steal data and authorize fraudulent transactions in real-time without the user noticing.
The Role of Telegram & “Mamonts”
Threat actors operate these campaigns with frightening efficiency. Security analysts have identified over 70 command-and-control servers driving these attacks globally. Furthermore, hackers use dozens of Telegram bots and private channels to coordinate the data theft.
In cybercriminal slang, attackers refer to their victims as ‘Mamonts’. Some malware variants are designed exclusively to scrape card data. They extract crucial EMV fields, including card numbers and expiration dates. Afterward, the malware automatically exfiltrates this sensitive information directly into private Telegram channels.
Protecting Your Android Device
This tap-and-steal threat is expanding rapidly across digital financial services. Hackers are actively impersonating trusted financial institutions to deceive consumers. Therefore, users must take immediate and proactive steps to defend their finances.
Most importantly, you should always avoid downloading applications from unofficial or unverified third-party sources. Additionally, treat any unfamiliar app that requests NFC payment privileges as a critical security risk. Finally, keep your operating system updated and utilize resilient, on-device mobile security solutions to detect malicious behaviors before they compromise your bank account.
