Group-IB researchers detail the inner workings of Chinese tap-to-pay schemes on Telegram and examine the NFC-enabled Android apps fraudsters are using to steal money from victim’s bank cards and mobile wallets remotely.
Key Takeaways
Chinese threat actors are deploying NFC-enabled Android applications to carry out unauthorized tap-to-pay transactions remotely using victim’s bank cards.
Multiple app variants are promoted and sold across Chinese cybercrime communities on Telegram.
Victims are lured into installing APKs and tapping their cards to their device through smishing and vishing campaigns.
Illicitly acquired POS terminals are used for cash-outs, with terminals from major institutions openly advertised on Telegram. At least $355,000 in illegitimate transactions have been recorded from one POS vendor alone throughout November 2024 – August 2025.
In another observed scenario, mobile wallets preloaded with compromised cards are used by mules across the globe to make purchases.
Over 54 APK samples have been identified, some masquerading as applications of legitimate institutions.
Introduction
Group-IB researchers have observed the growing proliferation of NFC-enabled Android tap-to-pay malware developed and sold within Chinese cybercrime communities on Telegram.
Also referred to as “Ghost Tap”, these applications are used to relay NFC communications between a victim’s device or a mobile wallet loaded with compromised payment cards, and the criminal’s device. This technique allows criminals to complete payments or cash-out remotely as though the victims’ cards were physically present.