Skip to main content
Mallory
Back to malware
Malware

RelayNFC

RelayNFC is an Android mobile malware family used to conduct NFC relay attacks against contactless payment cards. Reporting places its deployment in late 2025, with campaigns targeting users in Brazil, including Brazilian banking users, and distribution via phishing sites and decoy Portuguese-language pages. The malicious app masquerades as a payment-card security or verification tool and socially engineers victims into tapping their payment card to the phone and entering the card PIN. RelayNFC then captures contactless payment data and relays EMV/APDU traffic in real time over WebSockets to attacker-controlled infrastructure, enabling fraudulent transactions that mimic physical card presence. Multiple sources describe it as targeting contactless payment cards and siphoning payment data for NFC payment relay fraud. Technical reporting states the malware is built with React Native and Hermes bytecode / a Hermes-compiled payload, which complicates static analysis and contributes to its lightweight, evasive profile; one report also noted zero VirusTotal detections at the time of publication. Additional reporting indicates the operators were experimenting with Host Card Emulation (HCE) for future attacks. RelayNFC has been discussed alongside other NFC-relay malware families such as NGate and SuperCard X as part of a broader trend of mobile malware abusing NFC for financial fraud.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1566PhishingEvidence3

El phishing fue el método más utilizado para el acceso inicial... Estos actores suelen recurrir a métodos de acceso inicial tradicionales, como phishing por correo electrónico, SMS y mensajes de WhatsApp, suplantando la identidad de instituciones financieras y solicitando facturas o pagos.

T1566.002Spearphishing LinkEvidence1

Los señuelos se distribuyen mediante enlaces maliciosos que redirigen a páginas de inicio de sesión falsas...

Stealth

1 technique
T1027Obfuscated Files or InformationEvidence1

"...utilizes a Hermes-compiled payload with a JavaScript engine to stealthily capture and relay card data..."

Credential Access

2 techniques
T1056Input CaptureEvidence1

"...captures victims' card details for fraudulent transactions."

T1649Steal or Forge Authentication CertificatesEvidence1

...solicitando a las víctimas que acerquen sus tarjetas e ingresen sus números de identificación personal (PIN) para autenticarse. Una vez que las credenciales se obtienen de forma fraudulenta, se retransmiten a los atacantes.

Collection

1 technique
T1056Input CaptureEvidence1

"...captures victims' card details for fraudulent transactions."

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
bleeping computerNews
Jun 8, 2026
NFCShare Android malware spreads via fake banking app updates on GitHub

Referenced as Android malware involved in NFC payment relay schemes used to abuse stolen payment card data.

Read more
recorded future blogNews
Apr 2, 2026
Latin America and the Caribbean Cybercrime Landscape

Mobile malware targeting contactless payment cards, deployed in phishing campaigns against Brazilian users.

Read more
recorded future blogNews
Apr 2, 2026
Panorama del cibercrimen en América Latina y el Caribe

Malware móvil usado en campañas de phishing para atacar tarjetas de pago sin contacto mediante abuso de NFC.

Read more
the hacker newsNews
Feb 16, 2026
New ZeroDayRAT Mobile Spyware Enables Real-Time Surveillance and Data Theft

Referenced as an example NFC relay malware family similar to NFCShare (no additional behavior details provided in the content).

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.