DevilNFC Malware Exploits NFC Relay Attacks on Android Devices
Severity: High (Score: 66.5)
Sources: Cybersecuritynews, Gbhackers
Published: · Updated:
Keywords: malware, devilnfc, android, relay, attacks, kiosk, mode
Severity indicators: malware
Summary
The newly discovered DevilNFC malware targets Android users by employing NFC relay attacks combined with a Kiosk Mode trap. Victims are locked into a fake banking interface, allowing attackers to steal card data. The malware is particularly effective against users in Europe and Latin America, showcasing a high level of technical sophistication. Unlike previous malware campaigns, DevilNFC is developed independently rather than through established Malware-as-a-Service platforms. The emergence of this malware marks a significant evolution in the threat landscape surrounding NFC technology. No specific CVEs have been reported yet, and the full scope of the impact remains under investigation. Cybersecurity experts are urging users to remain vigilant against potential NFC-related threats. Key Points: • DevilNFC malware traps Android users in a fake banking screen during NFC relay attacks. • The malware primarily targets users in Europe and Latin America with advanced techniques. • No specific CVEs have been disclosed yet, but the threat is considered highly sophisticated.
Detailed Analysis
**Impact** DevilNFC targets Android users primarily in Europe and Latin America, focusing on customers of banking services. The malware traps victims in a kiosk mode during NFC relay attacks, leading to theft of card data. The scope includes individual banking customers, with potential financial losses and operational disruptions for affected institutions. No specific numbers of victims or financial impact are provided. **Technical Details** The malware employs NFC relay attacks combined with kiosk mode to lock victims inside a fake banking interface, preventing escape until card data is stolen. DevilNFC represents an evolution from previous Chinese-speaking MaaS NFC relay threats, being independently developed alongside NFCMultiPay. No CVEs or infrastructure details are disclosed, and no IOCs are provided in the articles. **Recommended Response** Defenders should monitor for unusual kiosk mode activations on Android devices and suspicious NFC relay activity. Implement detection rules for unauthorized kiosk mode usage and anomalous NFC communications. Users should be advised to avoid unknown NFC interactions and keep Android devices updated, although no specific patches or IOCs are detailed in the sources.
Source articles (2)
- DevilNFC Android Malware Uses Kiosk Mode to Trap Victims During NFC Relay Attacks — Cybersecuritynews · 2026-05-20
A dangerous new Android malware called DevilNFC has emerged, combining NFC relay attacks with a Kiosk Mode trap that locks victims inside a fake banking screen until their card data is stolen. The mal… - DevilNFC Malware Traps Android Users in NFC Relay Attacks — Gbhackers · 2026-05-20
A newly identified Android malware family named DevilNFC is raising concern among cybersecurity researchers for its advanced use of kiosk mode to trap victims during NFC relay attacks. These malware f…
Timeline
- 2026-05-20 — DevilNFC malware identified: Cybersecurity researchers reported the emergence of DevilNFC malware targeting Android devices through NFC relay attacks.
- 2026-05-20 — Kiosk Mode exploitation detailed: The malware uses Kiosk Mode to lock victims into a fake banking interface, facilitating data theft.
Related entities
- Malware (Attack Type)
- DevilNFC (Malware)
- NFCMultiPay (Malware)
- Android (Platform)
- NFC (Platform)