NFC relay attack: understanding and preventing contactless payment fraud

As contactless payments become more popular and convenient, so do the threats targeting this technology. Near Field Communication (NFC) has changed how we pay. Whether you’re tapping a card or waving a phone over a terminal, it’s fast, seamless, and widely adopted.

Convenient, yes? But this convenience comes with risk.

One emerging threat financial institutions and consumers must understand is the NFC relay attack. It’s a sophisticated form of fraud that exploits the very nature of contactless technology.

An NFC relay attack is a contactless payment fraud in which criminals intercept and relay the communication between a payment card (or device) and a payment terminal, often without the cardholder's knowledge.

Let’s break that down with a simple example.

Imagine sitting in a café with your contactless card in your pocket. A fraudster nearby uses a hidden NFC reader to "wake up" your card and capture its signal. This signal is instantly relayed in real time to another device, maybe in a shop across town, where a second fraudster uses it to purchase as if they had your physical card. 

The transaction appears legitimate because, technically, it is your card being used, just not by you.

In a recent investigation, Cleafy’s Threat Intelligence team has uncovered a sophisticated new malware campaign, dubbed SuperCard X, that demonstrates how the threat landscape is expanding beyond traditional banking apps and into the infrastructure of contactless payments.

SuperCard X is a novel Android malware distributed via a Malware-as-a-Service (MaaS) platform, designed to carry out Near Field Communication (NFC) relay attacks that authorise fraudulent ATM withdrawals and POS payments.

What makes this malware particularly dangerous is its multi-stage, minimalistic approach:

• Distributed through social engineering tactics (e.g., smishing and scam calls)
  
• Deployed via a malicious app with minimal permissions, bypassing many mobile security filters
  
• Executes an NFC-based relay attack, enabling fraudulent transactions by intercepting and transmitting card data through the victim’s infected phone

This technique goes far beyond conventional mobile fraud. It blurs the line between digital and physical fraud, using the victim's own device as a payment proxy, often without their awareness. It also demonstrates that many fraud attacks, such as those classified as Authorised Push Payment (APP) scams are often more complex and leave digital traces that institutions can capitalise on. 

Why is it so difficult to detect?

SuperCard X illustrates a growing trend in mobile fraud:

• Lower permission profiles make malware harder to detect
  
• Malware authors avoid common flags like overlay capabilities or SMS listeners
  
• Antivirus and signature-based detection fail to catch these lightweight apps

This mirrors a broader shift in attacker behaviour: reducing runtime signals and instead hiding in plain sight, until it’s too late.

For banks, the consequences of NFC relay attacks can be severe. Financially, they result in direct losses from unauthorised transactions and increased fraud reimbursements. Operationally, they drive up investigation costs and burden already-stretched fraud teams.

There’s also the reputational fallout. Institutions that cannot protect customers from emerging fraud threats risk losing consumer trust, a far more difficult asset to recover than funds.

For consumers, this type of contactless fraud is especially unsettling.. Unlike traditional card theft, these attacks are invisible. There is no stolen card, no obvious breach, just a mysterious charge on their statement that undermines confidence not only in their bank but in the contactless ecosystem as a whole.

SuperCard X is a wake-up call that fraud prevention can’t rely on runtime detection alone. The speed and stealth of mobile malware, and broader campaigns generally demand:

Shift-left fraud prevention approach

We must detect threats earlier - during app install or even app launch - not after a session begins. Our new NFC detection logic is just one example of this philosophy.

Full session reconstruction

Context is critical. When malware like SuperCard X uses NFC relay at a physical terminal, understanding what happened before, during, and after the tap is essential. Cleafy’s dynamic session reconstruction provides complete visibility, correlating seemingly benign actions across time and channels.

Multi-layered detection models

No single signal is enough. Fraudsters exploit siloed defences. Cleafy’s model combines:

• Device and application integrity analysis (e.g., NFC permissions)
• User prediction (e.g., number of uses associated with a device, IP, or browser)
• Real-time behavioural monitoring (e.g., device-on-call during limits changes)
• Transaction risk analysis (e.g., locations and payees)
• Shared threat intelligence (e.g., known campaign indicators)

This layered approach is the only sustainable path forward facing fast-moving and ever-evolving fraud attacks.

From overlay attacks and NFC relay to Account Takeover and APP scams, Cleafy evolves with the threat landscape. 

Our platform already detects many behaviours SuperCard X relies on (e.g., on-call state changes, PIN prompts, social engineering patterns), but we took a step further by introducing a new capability in our Mobile SDK.

We now detect mobile applications that request NFC permissions at SDK initialisation, even if no active malware behaviour is detected.

This enables:

• Proactive visibility into apps that could be weaponised for NFC-based attacks
  
• Enhanced analysis, improving Cleafy's ability to flag malicious potential earlier
  
• Support for our embedded threat intelligence service, Ask, to build new signatures faster, helping banks and payment providers act before fraud occurs.

In short, we’re pushing our detection further left, shifting visibility and intervention earlier in the lifecycle, where it’s harder for attackers to hide.

It’s another step toward a more proactive, more resilient fraud defence posture.

As fraud tactics evolve, so must security responses. Emerging technologies—like tokenisation, transaction context analysis, and AI-powered threat detection—promise to enhance the resilience of NFC systems.

However, there’s no silver bullet. The key lies in continuous monitoring, agile fraud response frameworks, and proactive investment in threat intelligence. Financial institutions that stay ahead of the curve will not only minimise fraud losses but also protect the trust that underpins every tap.

If you're a fraud or cybersecurity lead at a financial institution, here’s what this means for you:

• Expand your visibility: Don’t just focus on traditional app behaviours. Pay attention to what else is installed on the device, and what permissions those apps have — relay attacks often piggyback on seemingly benign apps with excessive access.
  
• Don’t wait for runtime signals to escalate: Modern mobile fraud is designed to stay quiet. Cleafy helps spot signs earlier—during app install, session setup, or login—by analysing runtime signals in real time, not just reacting to them later.
  
• Equip your analysts: Isolated events rarely tell the full story. Give your fraud teams tools that provide a complete picture -  full-session visibility, device context, and behavioural baselines - so they can connect the dots faster and more confidently.
  

NFC fraud may be invisible, but your defences shouldn’t be.

If you'd like to see how this applies to your mobile security strategy, get in touch with our team.