Recent reports from Krebs on Security have exposed a new kind of financial fraud: cybercriminals, especially groups based in China, are using an Android app called ZNFC to carry out a massive number of illegal, touchless transactions around the world.

This isn’t just small-scale fraud. Experts believe criminals may be stealing billions of dollars with this one app. The scam works by using stolen credit card data, Near Field Communication (NFC) technology, and fake payment relays—turning smartphones into tools for automated theft.

But the most alarming part isn’t just how much money is being stolen—it’s how mobile apps are fueling a new wave of large-scale cybercrime. These apps aren’t just being used to commit fraud; they’re making it faster, easier, and more widespread than ever before.

How ZNFC exploits mobile app capabilities

The fraudulent process behind ZNFC, known as a “ghost tap” attack, is deceptively simple:

  1. Phishing: Cybercriminals first obtain payment card data through deceptive phishing campaigns—often via messages posing as postal services, toll road notifications, or subscription renewals. These lure victims into entering their credit card details on fake websites.
  2. Capturing: The stolen card data is linked to hacker-controlled digital wallets. Many phishing kits even pretend to encounter a “processing error,” prompting victims to enter additional cards—doubling or tripling the amount of stolen data.
  3. Transmitting: This is where the ZNFC app comes in. A rogue user anywhere in the world can wave a phone near any payment terminal that supports Apple Pay or Google Pay. The app relays the transaction from the fraudulent digital wallet on the attacker’s phone, processing the unauthorized payment as if the legitimate cardholder were present.

Because these transactions appear valid within standard NFC frameworks, most security mechanisms fail to detect the fraud until it’s too late. The ability to execute such attacks at scale—without needing physical access to stolen cards—demonstrates just how vulnerable today’s mobile-driven financial systems have become.

Mobile apps as cybercrime factories

While the ZNFC app has brought attention to ghost tap fraud, the underlying issue runs deeper: cybercriminals are increasingly weaponizing mobile apps to automate fraud, infiltrate authentication systems, and manipulate transactions in ways traditional security tools struggle to stop.

Hackers are no longer just targeting individual users—they’re industrializing their attacks.

  • Automating fraudulent transactions with scripted behaviors.
  • Using machine learning to optimize fraud success rates (e.g., adjusting when and where transactions are relayed to minimize detection).
  • Expanding beyond payments into identity theft, session hijacking, API abuse, and even access control manipulation.

This trend is alarming for banks, fintech firms, mobile app developers, and brands publishing apps—because if fraudsters can scale ghost taps today, what’s stopping them from using similar techniques to bypass biometric authentication, passwordless login systems, or multi-factor authentication in other critical services?

If apps can be weaponized, security should be built in

Ghost tap attacks show how easily criminals can turn mobile apps into tools for fraud, making basic security measures unreliable. To stay ahead, developers must build security into every mobile experience—not as an afterthought. 

Cybersecurity solutions like app shielding make it harder for hackers to tamper with apps, while real-time threat detection can stop unauthorized payments in progress. Session security and API protection help prevent account takeovers, and AI-powered fraud monitoring can catch unusual activity, like a single phone making payments in multiple locations. By adding these defenses, businesses can reduce the frequency and impact of ghost tap fraud before it spirals out of control.