News & Alerts

DevilNFC Android Malware Combines Kiosk Mode Lock and NFC Relay to Steal Card Data

Researchers uncover DevilNFC, an Android malware that locks devices in Kiosk Mode and uses NFC relay to steal banking data from victims in Europe and Latin America.

CSBadmin
CSBadmin
2 Min Read

Kiosk Mode Trap and NFC Relay Attack

A newly identified Android malware variant, named DevilNFC by researchers, uses a sophisticated combination of NFC relay techniques and Android’s Kiosk Mode to carry out financial theft. The attack starts with a phishing message sent via SMS or WhatsApp, which directs the victim to a fake Google Play Store page. This page presents the malicious app as a mandatory security update from a Spanish-language bank. Once installed, the malware activates immediately, locking the device using Kiosk Mode and displaying a fraudulent banking interface fetched from a remote server. The system UI disappears, and the hardware back button is disabled, trapping the victim inside the fake screen while the malware silently uses NFC to relay card data from a nearby card to the attacker.

Contents
Kiosk Mode Trap and NFC Relay AttackGenerative AI Assisted DevelopmentImpact and Mitigation

Generative AI Assisted Development

Cleafy’s Threat Intelligence and Response team identified DevilNFC as one of two new NFC relay malware families, alongside NFCMultiPay. Although they share no code or infrastructure, both are actively targeting banking customers across Europe and Latin America. Researchers noted that both families show patterns consistent with generative AI assisted development. Over engineered phishing templates in DevilNFC and LLM characteristic emoji formatted logging in NFCMultiPay suggest that operators are using uncensored AI models alongside leaked malware codebases from public repositories. This lowers the barrier for building functional Android malware and marks a significant shift in the NFC relay threat landscape.

Impact and Mitigation

DevilNFC represents a dangerous evolution in mobile malware, as it completely isolates the victim while the NFC relay attack completes. Users should be cautious of unsolicited messages urging them to install security updates from banks, especially those that ask for NFC permissions. Android users should verify app sources, avoid sideloading apps, and keep their devices updated to the latest security patches to reduce the risk of such attacks.

Source: Cyber Security News

CSBadmin

The latest in cybersecurity news and updates.

TAGGED:
Share This Article
ByCSBadmin
Follow:
The latest in cybersecurity news and updates.
Previous Article Continuous Device Checks: The Missing Link in Modern Zero Trust Security
Next Article AI Generated Lookalike Domains Now Hide Inside Trusted Browser Scripts

Trending

Related Stories

CSBadmin

Plex Urges Password Resets After Latest Data Breach Exposes User Credentials

CSBadmin

AI Model Used to Craft First Mass Exploit Tool for Two Factor Auth Bypass

CSBadmin

Cyber Attack on Miljödata Disrupts 200+ Swedish Municipalities, Data Theft Suspected

CSBadmin

npm Supply Chain Attack Drops Infostealers and Phantom Bot DDoS Malware