A new security threat has emerged for Android users, primarily targeting tap-to-pay systems through malicious apps that exploit NFC and Host Card Emulation features. Zimperium's investigation has found over 760 such apps that intercept payment data in real time, transforming infected devices into tools for payment fraud. The issue has expanded from isolated incidents to a widespread problem, affecting users in Russia, Poland, Brazil, and more. These fake apps often mimic legitimate banking or government applications, like Google Pay and VTB Bank, convincing users to set them as their default payment method. Once installed, the apps activate NFC relay functionality, sending card data to remote servers managed by cybercriminals. This enables attackers to conduct transactions without needing physical access to the victim’s card. The operation involves over 70 command-and-control servers and uses Telegram bots to manage stolen financial data. Researchers highlight that these malicious apps are cleverly disguised, using authentic interfaces and logos to appear legitimate. Unlike traditional banking trojans that rely on overlays or SMS interception, this new malware directly utilizes Android's capabilities to act like a virtual payment card. Zimperium has blocked multiple families of this NFC relay malware through its security platforms but emphasizes the need for better protection for NFC permissions. For Android users, the best defense includes downloading apps solely from the Google Play Store and keeping security software updated.