Kaspersky has reported a sharp rise in NFC-based cyberattacks targeting Android smartphones, with incidents increasing by 188% in the first four months of 2026 compared to the same period in 2025.
According to Kaspersky telemetry, security solutions blocked 35,600 attacks from January to April 2026 involving Android malware families that exploit NFC (Near Field Communication) technology. These include SuperCard X, PhantomCard, NGate, and modified versions of the NFCGate tool, significantly higher than the 12,300 attacks recorded during the same period in 2025.
Kaspersky noted that while Russia remains the most frequently affected region, NFC-based threats are also increasingly detected in Latin America and Europe, signaling a broader global expansion of this attack vector.
Cybercriminals are primarily using two NFC fraud schemes: “direct NFC,” where victims are tricked into tapping bank cards on infected devices and entering PINs, and “reverse NFC,” a more advanced method where malicious apps simulate payment signals that deceive victims into transferring funds at ATMs.
Security experts warn that the “reverse NFC” technique is becoming more prevalent due to its ability to mask fraudulent transactions as legitimate user activity. In this scheme, victims are socially engineered into depositing money into so-called “secure accounts,” which are actually controlled by attackers.
“The danger of a newer, more sophisticated scheme is that this type of fraud is harder to detect,” said Sergey Golovanov, chief security expert at Kaspersky, emphasizing that victims unknowingly initiate transactions that appear legitimate to banking systems.
Kaspersky also highlighted that NFC relay malware has evolved into malware-as-a-service offerings, lowering the barrier for cybercriminals and expanding the scale of global attacks. Early incidents were first observed in Europe in late 2023 before spreading to Russia and other regions.
To mitigate risks, Kaspersky advises users to avoid installing apps from unofficial sources, ignore instructions from unknown contacts at ATMs, and use comprehensive mobile security solutions to block phishing and malware installation attempts.
