TX-NFC

TX-NFC is an Android NFC relay malware/app variant associated with the broader "Ghost Tap"/"Ghost Tapped" tap-to-pay fraud ecosystem. It is identified by Group-IB as one of three major vendors of Android NFC relay apps, alongside X-NFC and NFU Pay, and is advertised in Telegram-based Chinese cybercrime communities. The malware is used in schemes where victims are tricked into installing malicious APKs, often disguised as banking or payment applications, and are prompted to tap their payment cards to the infected device. The app captures NFC card data and transmits it to attacker-controlled infrastructure, where it is relayed to a separate "tapper" app used by criminals to conduct fraudulent transactions at POS terminals and, in some cases, ATMs. Reported capabilities across this malware category include requesting NFC and internet permissions, collecting device identifiers and authentication data, and communicating with command-and-control servers over WebSocket or MQTT. Group-IB reported a surge in these NFC-enabled Android tap-to-pay malware offerings and stated that at least $355,000 in illegitimate transactions were recorded from one POS vendor alone between November 2024 and August 2025. Thousands of victims were reported globally, and arrests tied to this activity occurred in the United States, Singapore, the Czech Republic, and Malaysia.