ESET Research has detected an active campaign aimed at users in Spain that combines fraudulent messages, fake Android applications and the use of mobile NFC to steal banking information. The investigation reveals an operation designed to deceive the user and obtain the information linked to their bank card that allows them to replicate it and proceed to make contactless payments from a mobile device controlled by cybercriminals. In several cases, fraud impersonates legitimate communications to reinforce its credibility.

In this campaign, cybercriminals distribute a malicious application that presents itself as a supposed protection tool under names such as “NFC Security – Charge Blocker”, and promote it through a website that impersonates the appearance of Google Play to give the appearance of legitimacy. Once installed, the app displays fraudulent messages, requests user actions, and sends the stolen information to the infrastructure controlled by the attackers.

ESET has also observed that an infrastructure is operating that personalizes scams and impersonates well-known brands and companies, including Santander, CaixaBank and Unicaja, as well as others outside the financial sector such as Shein. In some scenarios, even the initial message itself spoofs security notices issued by these entities to increase the victim’s confidence.

The hook: the fear of an unauthorized charge and the use of NFC

The hook of this campaign connects directly with an increasingly widespread habit among consumers: paying with their mobile phone or contactless cards. Criminals take advantage of this familiarity with NFC technology to construct a credible hoax, which in many cases impersonates normal bank verification procedures.

The victim receives a fraudulent message or reaches a fake website with an alarming notice related to an alleged security problem, a suspicious charge or a preventive block. Next, you are asked to download an application that appears to be legitimate and that, once installed, displays messages or screens that impersonate the interfaces of a security service or a banking entity.

The user is then asked to bring their card close to the phone for supposed verification and, in some cases, also enter the PIN. In reality, this entire process is designed so that the information ends up in the hands of the attackers and they can store the data from the stolen cards in the digital wallets of other mobile phones controlled by them to make payments at the expense of their victims.

“The worrying thing about this campaign is that it uses an everyday and widely adopted technology, such as NFC, to construct a very convincing deception. The user believes that they are protecting their account, when in reality they are providing critical data to criminals,” explains Josep Albors, director of research and awareness at ESET Spain. “For a non-specialized user, the sequence may seem reasonable, precisely because it mixes known elements. That is where a good part of its danger lies.”

A threat that evolves and adapts to Spain

Although this type of threat does not arise out of nowhere, it does mark a clear evolution in its adaptation to the Spanish market. ESET researchers have linked this activity to previous campaigns related to the infrastructure known as Devil NFC, a criminal platform that would have been used since the beginning of 2026 to launch various decoys and fraudulent applications aimed at Spanish-speaking users.

Over the last few months, the attackers have been changing both the names of the applications and the brands that the campaign impersonates to increase the effectiveness of the deception. This evolution reflects an increasingly common trend in cybercrime: reusing the same technical infrastructure, but adapting the speech, image and brands to the country or time to increase the number of victims. In some variants, even fake support impersonates customer service channels to reinforce manipulation.

ESET warns that these types of campaigns represent an important leap compared to more traditional mobile frauds. Instead of just stealing passwords or codes sent by SMS, criminals are now looking for information directly linked to the physical bank card and its actual use.

This evolution reflects an increasingly common trend: reusing the same technical infrastructure, but adapting the discourse, image and brands to the country.

The result is a threat with a much more direct potential impact on the victim’s pocketbook. For this reason, researchers insist that this type of deception should be understood not only as another digital scam, but as a form of financial fraud designed to take advantage of user trust in seemingly routine processes.

Prevention recommendations

When faced with campaigns of this type, ESET recommends following a series of guidelines:

  • Be wary of alarmist messages that talk about blocks, suspicious charges or urgent account problems.
  • Do not install applications from links received by SMS, WhatsApp or email.
  • Always check that the app comes from an official store and from the legitimate developer.
  • Do not hold your bank card close to your phone or enter your PIN based on instructions received in a message, on a website or in an unverified app.
  • Contact the bank directly through its official channels if you have any questions.
  • Keep your device updated and protected with a security solution capable of detecting malicious applications.
Alex Chen
Alex Chen

Alex Chen serves as the chief editor of Asia Tech Journal, bringing over a decade of experience in technology journalism. Previously writing for several globally renowned publications, Alex is celebrated for his insightful analyses and in-depth reporting on tech trends across Asia. Passionate about innovation, Alex specializes in the dynamic technology ecosystem of China and its global impacts.