A dangerous new Android malware called DevilNFC has emerged, combining NFC relay attacks with a Kiosk Mode trap that locks victims inside a fake banking screen until their card data and PIN are stolen. Targeting customers across Europe and Latin America, DevilNFC represents a significant escalation in the sophistication of mobile financial fraud — and evidence suggests it was built with the assistance of generative AI development tools.
How DevilNFC Attacks Victims
The attack begins with a phishing message delivered via SMS or WhatsApp, directing the victim to a landing page impersonating the Google Play Store. The page presents the malicious app as a mandatory security update from a legitimate Spanish-language banking institution. Once installed, the malware activates immediately and the victim loses control of their device without realizing it.
Analysts at Cleafy’s Threat Intelligence and Response team identified and analyzed DevilNFC, noting it is the more advanced of two newly documented NFC relay families — the other being NFCMultiPay. Despite sharing no code or infrastructure, both families are actively conducting NFC relay attacks against banking customers in overlapping geographies, marking a significant turning point in the NFC relay threat landscape.
The Kiosk Mode Trap
What makes DevilNFC especially alarming is how completely it isolates the victim. On launch, the malware locks the device using Android’s Kiosk Mode, displaying a social engineering template fetched from a remote server. The system UI disappears entirely and the hardware back button is disabled, trapping the victim inside the fraudulent interface while the relay completes in the background.
A fake verification pop-up rendered remotely from a C2 template then prompts the victim to enter their four-digit card PIN after the first card tap. The PIN is exfiltrated to two destinations simultaneously: a dedicated C2 endpoint and the attacker’s private Telegram channel, sent in plaintext alongside the bank name and victim’s public IP address. The interface then deliberately triggers a fake verification error, instructing the victim to hold their card for an extra ten seconds — a designed extension of the relay window ensuring the fraudulent transaction completes before any success screen appears.
Dual-Role APK Architecture
DevilNFC uses a Dual-Role APK architecture where a single application serves as both a passive NFC reader on the victim’s unrooted device and a card emulator on the attacker’s rooted hardware. This is achieved through a hooking framework injecting DevilNFC’s relay module directly into Android’s NFC daemon process. The result is a relay pipeline capable of authorizing ATM withdrawals and chip-and-PIN transactions at any global point of sale, using the victim’s legitimate card credentials in real time.
AI-Assisted Development Lowers the Barrier
Both DevilNFC and the related NFCMultiPay family show clear indicators of AI-assisted development. In DevilNFC, phishing templates from the live C2 are over-engineered relative to their function, featuring CSS and JavaScript structured with architectural precision and deliberate edge-case error handling that is characteristic of large language model (LLM)-generated code. NFCMultiPay’s debug logs show emoji-categorized metric labels separated by ASCII borders — a pattern strongly associated with LLM-generated logging scaffolding.
This trend suggests that threat actors are increasingly using uncensored AI models alongside leaked malware codebases from public repositories, dramatically lowering the technical barrier to building functional Android malware. Local criminal groups are no longer purchasing access to established Chinese platforms — they are building their own tools from scratch with AI assistance.
Geographic Targeting and Indicators
DevilNFC currently targets banking customers in Europe and Latin America, with particular focus on Spanish-language banking institutions. The malware infrastructure includes the following indicators of compromise:
- C2 Domain: nfcrackatm[.]com
- C2 Domain: spicynagets[.]shop
- Package Name: com.devilnfc.reader
- MD5 (APK): caa5e8cf3275339d251210072ebe88c2
How to Protect Yourself
Researchers recommend the following protective measures against NFC relay malware like DevilNFC:
- Only install apps from official sources — never from links sent via SMS or WhatsApp
- Never enter your card PIN in a session you did not personally initiate at a trusted terminal
- If your Android device becomes locked to a full-screen interface you cannot exit, report it to your bank immediately and perform a factory reset
- Disable NFC when not in use to reduce your attack surface
- Banks should implement behavioral analysis on contactless transactions to flag relay attacks based on geographic impossibility (card in one country, transaction in another)