Beyond Skimming: How Modern MaaS Platforms Are Weaponizing NFC Relay Attacks

TLDR: Modern Malware-as-a-Service (MaaS) platforms are evolving beyond simple credential harvesting to facilitate sophisticated NFC relay attacks. By abusing Android’s Accessibility Services, these trojans can now bridge the gap between a victim's physical card and a remote attacker's POS terminal in real-time. Security researchers and pentesters must shift their focus toward detecting these multi-stage mobile attack chains rather than just looking for static malware signatures.

Traditional carding is evolving. For years, the industry focused on the mechanics of card-not-present fraud, skimming, and the underground forums that traded stolen magnetic stripe data. But as EMV chip technology and contactless payments became the standard, the barrier to entry for attackers increased. The latest research from DEF CON 2025 highlights a significant shift: threat actors are no longer just stealing card numbers. They are building fully functional, automated relay infrastructures that turn a victim's own mobile device into a bridge for unauthorized contactless transactions.

The Mechanics of the NFC Relay Chain

The attack flow demonstrated by the researchers at Cleafy is a masterclass in operationalizing mobile malware. It starts with a classic phishing campaign, but the goal is not just to steal a password. The objective is to trick the user into installing a malicious Android application that requests broad permissions, specifically targeting the Android Accessibility Services.

Once the malware gains these permissions, it effectively gains control over the device's UI. It can intercept SMS messages, read screen content, and even perform actions on behalf of the user. In the context of an NFC relay attack, the malware waits for the victim to initiate a legitimate interaction or, more commonly, uses social engineering to convince the victim to place their physical credit card against the back of their phone.

The malware then acts as a proxy. It reads the NFC data from the physical card and transmits it over the internet to a remote "receiver device" managed by the attacker. This receiver device, which also runs the malicious application, is then placed against a physical POS terminal or an ATM. The terminal sees the transaction as a legitimate, local contactless payment, completely bypassing the chip security that was supposed to make this impossible.

From SuperCard X to Lion: The Rise of MaaS

What makes this particularly dangerous is the shift toward a service-oriented model. The researchers tracked the evolution of specific malware families like SuperCard X and its successor, Lion. These are not just standalone scripts. They are full-blown MaaS platforms that offer:

• Subscription-based access tiers.
• Technical support for affiliates.
• Regular updates to evade detection.
• Integrated command-and-control (C2) panels.

The C2 panel is where the real innovation happens. It provides the attacker with a real-time view of the "money mule" network. If a transaction fails or a specific card is blocked, the attacker can instantly switch the relay to a different mule device in a different country. This flexibility makes it incredibly difficult for traditional fraud detection systems to keep up, as the source of the transaction is constantly shifting.

Pentesters and the New Threat Landscape

For those of us conducting mobile application security assessments, this changes the threat model. We can no longer just test for insecure data storage or weak encryption. We need to evaluate how an application handles sensitive permissions and whether it can be manipulated via accessibility services.

When testing an app, ask yourself:

1. Does the application check for the presence of active accessibility services?
2. Does it implement Android's SafetyNet or Play Integrity API to detect if the device is compromised or if the app is running in an unauthorized environment?
3. How does the application handle sensitive user input? If it requires a PIN, is that PIN entered in a way that can be intercepted by a screen-reading service?

The impact of these attacks is immediate and financial. A successful relay attack results in a fraudulent transaction that appears to originate from a legitimate, verified device. For a bank, this is a nightmare to dispute. For a user, it is a total loss of funds with little recourse.

Defensive Strategies

Defending against this requires a multi-layered approach. On the mobile side, developers must implement strict checks for accessibility services and ensure that sensitive UI elements are protected. From a network perspective, financial institutions need to look for anomalies in transaction patterns that suggest a relay, such as impossible travel times between the victim's location and the location of the POS terminal.

The most effective defense, however, is user education. The social engineering component is the weakest link in the chain. If a user is convinced to place their card against their phone, the technical controls are already being bypassed. We need to move toward authentication mechanisms that are resistant to relay, such as requiring biometric verification for every contactless transaction above a certain threshold.

The era of simple carding is over. We are now dealing with a highly organized, service-driven ecosystem that treats mobile devices as remote hardware for fraud. As researchers, our job is to stay ahead of these C2 infrastructures and ensure that the next generation of mobile banking apps is built to withstand this level of scrutiny.