Digital wallets under siege: Inside the rise of NFC-based fraud with GhostTap and SuperCard X

Why is NFC-based fraud becoming one of the fastest-growing mobile cyberthreats in 2025?

According to ESET’s H1 2025 Threat Report, fraud involving near-field communication (NFC) technology has spiked by over thirty-five times compared to the second half of 2024. Although the total number of incidents remains modest in comparison to more traditional threats, the rate of growth—and the sophistication of associated malware—has made NFC-based fraud one of the fastest-rising concerns for mobile cybersecurity professionals.

The surge is driven by new malware families like GhostTap and SuperCard X, both of which exploit mobile devices’ NFC functionality to conduct unauthorized digital wallet transactions. These tools are being actively distributed through phishing campaigns, fake app marketplaces, and malware-as-a-service (MaaS) platforms, enabling both skilled attackers and opportunistic fraud groups to scale their operations with minimal technical expertise.

The growing ubiquity of contactless payments, coupled with increased reliance on digital wallets for banking, transit, and retail purchases, makes NFC-enabled smartphones an attractive attack surface. Analysts believe that, as more regions embrace tap-to-pay systems, mobile-based proximity fraud will only accelerate without targeted mitigation.

How do GhostTap and SuperCard X enable attackers to steal and use digital wallet credentials via NFC?

GhostTap is a mobile malware tool designed to silently harvest card data from NFC-enabled smartphones. Once installed—often disguised as a system optimization or NFC utility app—it runs in the background and intercepts NFC signals when a legitimate card is tapped near the device. The malware then stores this data or uploads it to a command-and-control server, allowing attackers to clone the credentials into their own digital wallets.

SuperCard X, on the other hand, offers a more streamlined and accessible model for fraudsters. It is marketed as a minimalistic malware-as-a-service offering that turns any compromised Android phone into a card data collector and relay device. Once installed, SuperCard X quietly captures NFC interactions and transmits them in real time to a remote endpoint controlled by the attacker. From there, the stolen credentials can be used for fraudulent tap-to-pay transactions at retail locations around the world.

Both tools are designed to evade detection by masquerading as legitimate apps, requesting only minimal permissions, and avoiding aggressive battery usage patterns that would alert device owners. They also leverage background processes that are common in other NFC-related apps, making them difficult to distinguish using conventional mobile security heuristics.

What role are organized fraud groups playing in scaling NFC wallet theft using these tools?

ESET’s analysis reveals that organized fraud operations—often referred to as “fraud farms”—are using GhostTap and SuperCard X at scale. These groups typically employ dozens or even hundreds of compromised phones simultaneously, each running an instance of the malware. The devices are then used to either harvest credentials from targeted victims or execute large volumes of contactless payments using previously stolen card data.

In some reported cases, attackers load stolen credentials into their own digital wallets and perform real-time transactions at high-throughput retail outlets such as convenience stores, gas stations, or fast-food chains. Because many NFC payment systems rely on low-friction authentication (such as no PIN for small transactions), attackers are able to complete purchases without raising suspicion.

Institutional cybersecurity experts warn that fraud farms are increasingly coordinating with money laundering operations and using automated tools to extract maximum value from stolen wallet data before detection occurs. Some actors are also linking NFC fraud campaigns with wider phishing operations, cross-referencing stolen card data with online account credentials to build a broader victim profile.

How vulnerable are digital wallet platforms to these types of mobile proximity threats?

Digital wallets typically include built-in security measures such as device encryption, biometric authentication, and tokenization to obscure card details. However, attackers are now circumventing these protections by targeting the data at the NFC communication layer, or by compromising the mobile device itself rather than the wallet app.

GhostTap, for example, intercepts the raw data transmitted during the tap process, before it is tokenized by the wallet software. Similarly, SuperCard X captures interaction metadata that can be used to replay transactions in supported environments. These methods highlight a systemic vulnerability: once the device is compromised at the OS level, even secure applications become exposed.

Cybersecurity researchers say that NFC-based fraud is particularly hard to mitigate because it relies on the physical proximity of devices—making it nearly impossible for backend systems to distinguish between legitimate and spoofed interactions. Moreover, mobile operating systems often lack granular telemetry for low-level NFC events, limiting the visibility that app developers and fraud detection teams have into anomalous behavior.

What are financial institutions and mobile platform vendors doing to address this emerging threat?

In response to the spike in proximity-based fraud, several mobile security vendors are updating their SDKs to include enhanced NFC monitoring features. These updates aim to detect background listeners, unusual tap frequencies, or known malicious app signatures. However, due to API limitations, especially on Android platforms, such defenses may only offer partial coverage.

Some banks and fintech platforms are experimenting with out-of-band authentication mechanisms for contactless payments, such as requiring biometric re-confirmation even for small transactions, or integrating behavioral AI models to detect suspicious movement patterns before authorizing NFC activity.

Telecom providers are also being pulled into the mitigation loop, with some exploring SIM-based isolation strategies for NFC modules—effectively placing wallet credentials in secure enclaves inaccessible to the rest of the device OS.

Institutional sentiment suggests that while these are steps in the right direction, they may not be enough to counter malware that operates silently and at scale. Analysts are calling for cross-industry coordination involving OS vendors, app developers, mobile device manufacturers, and financial regulators to set new standards for NFC transaction auditing and device-level security baselines.

What is the future outlook for mobile-based NFC fraud in the evolving cybercrime economy?

With contactless payments growing in both volume and geographic reach, NFC fraud is poised to become a persistent threat vector in the mobile malware ecosystem. Analysts expect tools like GhostTap and SuperCard X to be joined by newer variants that incorporate AI-driven relay timing, geolocation spoofing, and encrypted peer-to-peer credential trading networks.

ESET researchers warn that future iterations may include self-propagating mechanisms, allowing NFC malware to hop between nearby devices via Bluetooth or Wi-Fi Direct. If realized, such functionality could transform localized attacks into urban-scale proximity campaigns affecting thousands of devices in densely populated areas.

From a defensive standpoint, enterprises handling large volumes of digital wallet transactions will need to strengthen fraud modeling, incorporate endpoint trust scoring, and ensure their apps are resilient against background-based credential interception.

The outlook also includes potential regulatory implications. Governments may begin mandating tamper-resistant NFC hardware or certifying mobile wallet apps for specific compliance standards. This would mirror historical responses to ATM skimming and chip-and-pin vulnerabilities, but adapted for a mobile-first world.

For now, the rise of GhostTap and SuperCard X signals that cybercriminals are treating mobile NFC channels as a viable and scalable frontier for fraud—one that traditional app-layer defenses were never fully built to handle.