Zimperium zLabs has identified over 760 Android apps misusing Near-Field Communication (NFC) and Host Card Emulation (HCE) to steal payment data, highlighting a sharp increase in NFC relay fraud since April 2024. These malicious apps target a range of financial institutions, including banks in Russia, Europe, and Brazil, as well as services like Google Pay. The apps trick users into granting NFC payment permissions by impersonating trusted entities, often through deceptive interfaces. These programs typically operate in two ways: as paired "scanner/tapper" toolchains or as standalone data collectors. They can extract sensitive information, including EMV data, device IDs, card numbers, and expiration dates, which are then sent to Telegram channels. Operators manage these apps remotely via command-and-control servers, allowing them to execute actions like logging in, relaying card terminal requests, and initiating fake transactions with minimal user interaction. Zimperium reports that since April 2024, attackers have utilized over 70 command-and-control servers and multiple Telegram bots to target more than 20 institutions globally, predominantly in Russia. The researchers emphasize the escalating risk associated with NFC technology, particularly as "Tap-to-Pay" transactions become more common. They caution financial institutions, mobile vendors, and users to be wary of unfamiliar apps requesting NFC access, labeling them as high risk.