A novel threat known as DevilNFC has surfaced in the Android ecosystem, employing a sophisticated combination of NFC relay attacks and Kiosk Mode exploitation. This malware effectively entraps users in a counterfeit banking interface, leading to unauthorized card data theft.
The Emergence of DevilNFC
DevilNFC specifically targets individuals in Europe and Latin America, showcasing an unprecedented level of technical skill for an independently developed threat. The malware is distinct in that it does not rely on existing code or shared infrastructure, indicating it was developed by a unique group of cybercriminals.
The attack is initiated via deceptive messages sent through SMS or WhatsApp, which lure victims to a fraudulent webpage mimicking the Google Play Store. This page falsely advertises a necessary security update from a recognized banking entity. Upon installation, the malware takes control, leaving users unaware of their compromised systems.
Advanced NFC Relay Techniques
Research conducted by Cleafy’s Threat Intelligence team has revealed that DevilNFC is more sophisticated than its counterpart, NFCMultiPay, with both being new additions to the NFC relay malware families. Despite the absence of shared code, both malware types are actively exploiting banking customers, marking a shift in the threat landscape.
DevilNFC isolates victims by leveraging Android’s Kiosk Mode to suppress the system UI and disable hardware controls. This lock-in strategy is part of a broader, AI-assisted development trend noticed in both malware families, featuring advanced phishing templates and other generative AI characteristics.
Operational Tactics and Implications
In practice, once the malware is activated, it uses Kiosk Mode to obscure the device’s UI, creating a seamless trap for the victim. A fake verification prompt encourages users to input their card PIN, which is then transmitted to the attackers both through a command and control server and a private Telegram channel.
The DevilNFC employs a Dual-Role APK architecture, enabling it to function as both a passive NFC reader and a card emulator, allowing for the execution of unauthorized transactions globally. Researchers emphasize the importance of downloading apps only from verified sources and being cautious of unexpected PIN requests.
Both malware families demonstrate signs of AI-driven development, as observed by ESET Research, further complicating the security landscape. This trend towards self-reliant tool creation in regional cybercriminal groups underscores the need for heightened vigilance and proactive cybersecurity measures.
