A sophisticated new attack dubbed “Ghost Tapped” is enabling Chinese threat actors to steal funds directly from Android users’ bank accounts. This novel exploitation of Near Field Communication (NFC) technology bypasses the need for physical bank cards, allowing criminals to execute fraudulent transactions remotely.
Security researchers have identified over 54 variations of these malicious Android applications, with a significant number actively promoted on platforms like Telegram. The Ghost Tapped attack leverages deceptive tactics to trick victims into downloading compromised apps, ultimately facilitating the theft of sensitive payment information.
Understanding the Ghost Tapped Attack Mechanism
The Ghost Tapped malware operates through a two-component system, according to analysis by Group-IB. The first part, a “reader” application, is installed on the victim’s Android device. This app is designed to capture payment card information when the user is tricked into tapping their bank card against their phone, often under the guise of a security or registration process.
Once the compromised app retrieves the card data, it encrypts the information and transmits it to a command-and-control (C2) server. From this server, the data is relayed to a “tapper” application used by the criminals. This tapper application then forwards the stolen payment details to a point-of-sale (POS) terminal, which the perpetrators have either stolen or obtained through illicit means.
To the legitimate POS terminal, the transaction appears entirely authentic, as if the criminal’s device were a genuine bank card. This sophisticated relay attack effectively masks the fraudulent activity, making it difficult to trace back to its origin.
Technical Details and Scale of the Threat
The malicious applications require specific NFC and internet permissions to function, including `android.permission.NFC` and `android.permission.INTERNET`. Upon installation, they gather device identifiers and authentication credentials, sending this data to remote servers via WebSocket or MQTT protocols. This allows for persistent communication and control by the threat actors.
The financial impact of this operation is substantial. Between November 2024 and August 2025, one identified group reportedly processed at least $355,000 in fraudulent transactions using the Ghost Tapped method. Analysts estimate that thousands of victims globally have already fallen prey to these schemes.
Law enforcement agencies have responded to the growing threat, with arrests reported in countries including the United States, Singapore, the Czech Republic, and Malaysia. These arrests underscore the widespread nature of the Ghost Tapped attacks and the international effort to combat them.
Preventing Ghost Tapped Exploitation
Users are advised to exercise extreme caution when downloading applications, particularly those that request extensive permissions or appear to be related to financial services. Always verify the legitimacy of apps by checking reviews, developer information, and official app store listings. Avoid downloading APK files from unofficial sources.
Keeping Android devices updated with the latest security patches is also crucial, as these updates often address vulnerabilities that could be exploited by malware. Users should also be wary of unsolicited messages or calls asking them to perform actions on their mobile device, especially those involving financial information or card interactions.
The ongoing evolution of mobile malware like Ghost Tapped highlights the persistent threat to digital financial security. As the technology behind contactless payments continues to advance, so too do the methods employed by cybercriminals. The ongoing investigation and disruption of these criminal networks will be critical in mitigating future losses.