Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
DevilNFC Malware Traps Victims in Fake Banking Screens

DevilNFC Malware Traps Victims in Fake Banking Screens

Posted on May 20, 2026 By CWS

A novel threat known as DevilNFC has surfaced in the Android ecosystem, employing a sophisticated combination of NFC relay attacks and Kiosk Mode exploitation. This malware effectively entraps users in a counterfeit banking interface, leading to unauthorized card data theft.

The Emergence of DevilNFC

DevilNFC specifically targets individuals in Europe and Latin America, showcasing an unprecedented level of technical skill for an independently developed threat. The malware is distinct in that it does not rely on existing code or shared infrastructure, indicating it was developed by a unique group of cybercriminals.

The attack is initiated via deceptive messages sent through SMS or WhatsApp, which lure victims to a fraudulent webpage mimicking the Google Play Store. This page falsely advertises a necessary security update from a recognized banking entity. Upon installation, the malware takes control, leaving users unaware of their compromised systems.

Advanced NFC Relay Techniques

Research conducted by Cleafy’s Threat Intelligence team has revealed that DevilNFC is more sophisticated than its counterpart, NFCMultiPay, with both being new additions to the NFC relay malware families. Despite the absence of shared code, both malware types are actively exploiting banking customers, marking a shift in the threat landscape.

DevilNFC isolates victims by leveraging Android’s Kiosk Mode to suppress the system UI and disable hardware controls. This lock-in strategy is part of a broader, AI-assisted development trend noticed in both malware families, featuring advanced phishing templates and other generative AI characteristics.

Operational Tactics and Implications

In practice, once the malware is activated, it uses Kiosk Mode to obscure the device’s UI, creating a seamless trap for the victim. A fake verification prompt encourages users to input their card PIN, which is then transmitted to the attackers both through a command and control server and a private Telegram channel.

The DevilNFC employs a Dual-Role APK architecture, enabling it to function as both a passive NFC reader and a card emulator, allowing for the execution of unauthorized transactions globally. Researchers emphasize the importance of downloading apps only from verified sources and being cautious of unexpected PIN requests.

Both malware families demonstrate signs of AI-driven development, as observed by ESET Research, further complicating the security landscape. This trend towards self-reliant tool creation in regional cybercriminal groups underscores the need for heightened vigilance and proactive cybersecurity measures.

Cyber Security News Tags:AI-assisted malware, Android malware, banking security, Cleafy, Cybersecurity, DevilNFC, Kiosk Mode, NFC relay attacks, Phishing, Threat Landscape

Post navigation

Previous Post: Anthropic Addresses Claude Code Sandbox Flaw Quietly
Next Post: Join Today’s Virtual Summit on Cyber Threat Response

Related Posts

Spam Campaign Utilizes Fake PDFs for Remote Access Spam Campaign Utilizes Fake PDFs for Remote Access Cyber Security News
Google’s Gemini Deep Research Tool Gains Access to Gmail, Chat, and Drive Data Google’s Gemini Deep Research Tool Gains Access to Gmail, Chat, and Drive Data Cyber Security News
Windows DWM 0-Day Vulnerability Allows Attackers to Escalate Privileges Windows DWM 0-Day Vulnerability Allows Attackers to Escalate Privileges Cyber Security News
HashiCorp Vault Vulnerabilities Let Attack Bypass Authentication And Trigger DoS Attack HashiCorp Vault Vulnerabilities Let Attack Bypass Authentication And Trigger DoS Attack Cyber Security News
Threat Actors Leverage Oracle Database Scheduler to Gain Access to Corporate Environments Threat Actors Leverage Oracle Database Scheduler to Gain Access to Corporate Environments Cyber Security News
Critical ProFTPD Vulnerability Allows Remote Code Execution Critical ProFTPD Vulnerability Allows Remote Code Execution Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Government Pays $1M to Prevent Data Leak by Kairos Group
  • North Korean Hackers Launch PolinRider Campaign
  • Critical ‘Bad Epoll’ Flaw Risks Linux and Android Security
  • PamStealer Targets macOS Users via Fake Clipboard Manager
  • New FatFs Vulnerabilities Threaten Embedded Devices

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Government Pays $1M to Prevent Data Leak by Kairos Group
  • North Korean Hackers Launch PolinRider Campaign
  • Critical ‘Bad Epoll’ Flaw Risks Linux and Android Security
  • PamStealer Targets macOS Users via Fake Clipboard Manager
  • New FatFs Vulnerabilities Threaten Embedded Devices

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark