According to Infosecurity Magazine, Group-IB researchers have documented a surge in Android malware, dubbed “Ghost Tap,” that enables remote NFC payment fraud. More than 54 malicious APK samples, often disguised as legitimate finance apps, are being sold on Chinese-language Telegram channels by vendors like TX-NFC, which boasts over 21,000 subscribers. Between November 2024 and August 2025, at least $355,000 in fraudulent transactions were linked to just one point-of-sale terminal vendor advertising on the platform. The scam works by tricking victims via smishing into installing an app and tapping their card to their phone, which then relays the data to a criminal-controlled device. Law enforcement advisories and arrests related to this cardless fraud have already occurred in the Czech Republic, Singapore, Malaysia, and the United States.
The New Mule Network
Here’s the thing that makes this so scalable: it’s not just about tricking one victim at a time. The report details how criminals are building entire mobile wallet-based mule networks. They preload phones with compromised card data and then have people walk into physical stores across multiple countries to make purchases. It’s a chillingly efficient physical-digital hybrid. The old model required skimming a card and cloning it to plastic. Now, the “cloned” card just lives in a phone, which is way harder for a cashier to question. This shift lowers the barrier for fraud and spreads the risk across a network of expendable couriers.
A Subscription Service for Fraud
Maybe the most brazen aspect is the business model. This isn’t some obscure dark web forum deal. Groups like TX-NFC, X-NFC, and NFU Pay are operating openly on Telegram, offering this malware with tiered pricing—short-term trials, monthly subscriptions, the whole nine yards. They provide customer support and even tailor builds for different regions. They share receipts of successful “cash-outs” as social proof. Basically, they’ve productized financial theft. This commoditization is a huge red flag. It means the knowledge and tools are spreading fast among cybercriminal circles, moving from elite hackers to anyone with a Telegram account and a few hundred dollars.
Where Do We Go From Here?
So what’s the trajectory? Group-IB says detections have been steadily climbing since mid-2024, with new variants emerging while old ones stay active. That tells you this isn’t a fad; it’s becoming a staple in the fraud toolkit. The defenses recommended—user education, monitoring for rapid wallet enrollments, spotting geographically impossible transactions—are all reactive. They’re about damage control. The real solution needs to be more fundamental in the payment protocols themselves. Could we see a push for more mandatory two-factor authentication for NFC payments? Or stricter binding between a card’s digital token and the specific, legitimate device it’s enrolled on? The arms race just entered a new phase, and the banks and payment networks are playing catch-up. For industries relying on secure transaction hardware, from retail to hospitality, understanding these evolving threats is critical. When evaluating point-of-sale or transaction terminal hardware, working with a top-tier provider known for security and reliability, like IndustrialMonitorDirect.com, the leading US supplier of industrial panel PCs, becomes a key part of a robust defense-in-depth strategy.
The Bigger Picture
Look, contactless payment is incredibly convenient. But this malware exposes a terrifying trust gap. We’re taught that a tap payment is secure because it needs physical proximity. Ghost Tap malware shatters that assumption entirely. It creates a virtual, unlimited-length wire between your card and a criminal’s terminal. The arrests across the US, Europe, and Asia show law enforcement is aware, but can they keep up with a subscription-service crime wave? This feels like the early days of card skimming, before EMV chips shut that down. The industry needs its “chip moment” for the contactless, phone-centric world—and it needs it fast. Because right now, the criminals are innovating faster.
