Authorities in at least two U.S. states last week independently announced arrests of Chinese nationals accused of perpetrating a novel form of tap-to-pay fraud using mobile devices. Details released by authorities so far indicate the mobile wallets being used by the scammers were created through online phishing scams, and that the accused were relying on a custom Android app to relay tap-to-pay transactions from mobile devices located in China.

Image: WLVT-8.

Authorities in Knoxville, Tennessee last week said they arrested 11 Chinese nationals accused of buying tens of thousands of dollars worth of gift cards at local retailers with mobile wallets created through online phishing scams. The Knox County Sheriff’s office said the arrests are considered the first in the nation for a new type of tap-to-pay fraud.

Responding to questions about what makes this scheme so remarkable, Knox County said that while it appears the fraudsters are simply buying gift cards, in fact they are using multiple transactions to purchase various gift cards and are plying their scam from state to state.

“These offenders have been traveling nationwide, using stolen credit card information to purchase gift cards and launder funds,” Knox County Chief Deputy Bernie Lyon wrote. “During Monday’s operation, we recovered gift cards valued at over $23,000, all bought with unsuspecting victims’ information.”

Asked for specifics about the mobile devices seized from the suspects, Lyon said “tap-to-pay fraud involves a group utilizing Android phones to conduct Apple Pay transactions utilizing stolen or compromised credit/debit card information,” [emphasis added].

Lyon declined to offer additional specifics about the mechanics of the scam, citing an ongoing investigation.

Ford Merrill works in security research at SecAlliance, a CSIS Security Group company. Merrill said there aren’t many valid use cases for Android phones to transmit Apple Pay transactions. That is, he said, unless they are running a custom Android app that KrebsOnSecurity wrote about last month as part of a deep dive into the operations of China-based phishing cartels that are breathing new life into the payment card fraud industry (a.k.a. “carding”).

How are these China-based phishing groups obtaining stolen payment card data and then loading it onto Google and Apple phones? It all starts with phishing.

If you own a mobile phone, the chances are excellent that at some point in the past two years it has received at least one phishing message that spoofs the U.S. Postal Service to supposedly collect some outstanding delivery fee, or an SMS that pretends to be a local toll road operator warning of a delinquent toll fee.

These messages are being sent through sophisticated phishing kits sold by several cybercriminals based in mainland China. And they are not traditional SMS phishing or “smishing” messages, as they bypass the mobile networks entirely. Rather, the missives are sent through the Apple iMessage service and through RCS, the functionally equivalent technology on Google phones.

People who enter their payment card data at one of these sites will be told their financial institution needs to verify the small transaction by sending a one-time passcode to the customer’s mobile device. In reality, that code will be sent by the victim’s financial institution in response to a request by the fraudsters to link the phished card data to a mobile wallet.

If the victim then provides that one-time code, the phishers will link the card data to a new mobile wallet from Apple or Google, loading the wallet onto a mobile phone that the scammers control. These phones are then loaded with multiple stolen wallets (often between 5-10 per device) and sold in bulk to scammers on Telegram.

An image from the Telegram channel for a popular Chinese smishing kit vendor shows 10 mobile phones for sale, each loaded with 5-7 digital wallets from different financial institutions.

Merrill found that at least one of the Chinese phishing groups sells an Android app called “Z-NFC” that can relay a valid NFC transaction to anywhere in the world. The user simply waves their phone at a local payment terminal that accepts Apple or Google pay, and the app relays an NFC transaction over the Internet from a phone in China.

“I would be shocked if this wasn’t the NFC relay app,” Merrill said, concerning the arrested suspects in Tennessee.

Merrill said the Z-NFC software can work from anywhere in the world, and that one phishing gang offers the software for $500 a month.

“It can relay both NFC enabled tap-to-pay as well as any digital wallet,” Merrill said. “They even have 24-hour support.”

On March 16, the ABC affiliate in Sacramento (ABC10), Calif. aired a segment about two Chinese nationals who were arrested after using an app to run stolen credit cards at a local Target store. The news story quoted investigators saying the men were trying to buy gift cards using a mobile app that cycled through more than 80 stolen payment cards.

ABC10 reported that while most of those transactions were declined, the suspects still made off with $1,400 worth of gift cards. After their arrests, both men reportedly admitted that they were being paid $250 a day to conduct the fraudulent transactions.

Merrill said it’s not unusual for fraud groups to advertise this kind of work on social media networks, including TikTok.

A CBS News story on the Sacramento arrests said one of the suspects tried to use 42 separate bank cards, but that 32 were declined. Even so, the man still was reportedly able to spend $855 in the transactions.

Likewise, the suspect’s alleged accomplice tried 48 transactions on separate cards, finding success 11 times and spending $633, CBS reported.

“It’s interesting that so many of the cards were declined,” Merrill said. “One reason this might be is that banks are getting better at detecting this type of fraud. The other could be that the cards were already used and so they were already flagged for fraud even before these guys had a chance to use them. So there could be some element of just sending these guys out to stores to see if it works, and if not they’re on their own.”

Merrill’s investigation into the Telegram sales channels for these China-based phishing gangs shows their phishing sites are actively manned by fraudsters who sit in front of giant racks of Apple and Google phones that are used to send the spam and respond to replies in real time.

In other words, the phishing websites are powered by real human operators as long as new messages are being sent. Merrill said the criminals appear to send only a few dozen messages at a time, likely because completing the scam takes manual work by the human operators in China. After all, most one-time codes used for mobile wallet provisioning are generally only good for a few minutes before they expire.

For more on how these China-based mobile phishing groups operate, check out How Phished Data Turns Into Apple and Google Wallets.

The ashtray says: You’ve been phishing all night.

Apple devices are believed to be pretty secure, and that's what the company will tell you. You might have seen the tagline "Privacy. That’s Apple." in their promotions. 

However, the tech landscape is changing, and even Apple products aren’t beyond cybercriminals’ reach. 

A new report suggests Mac users will need to be more vigilant this year because AI advancements are helping hackers breach even the most secure systems. I have consistently reported on how Mac malware is targeting users, and experts now believe this will only get worse.

STAY PROTECTED & INFORMED! GET SECURITY ALERTS & EXPERT TECH TIPS — SIGN UP FOR KURT’S THE CYBERGUY REPORT NOW

Mac malware is not what it used to be. For years, the biggest threats were annoying adware and browser hijackers, more of a nuisance than a real danger. But that is changing fast. As highlighted by Malwarebytes, a new wave of information stealers is taking over, and they are far more dangerous, going after passwords, authentication cookies, credit card details and even cryptocurrency.

This shift started in mid-2023 with the arrival of Atomic Stealer, also known as AMOS, a piece of malware that looked much more like something you would see on Windows than the typical Mac threats. AMOS was not just effective. It was easy to use and sold as a service  for $1,000 a month with a slick web-based control panel. That success led to the rise of even more dangerous variants.

WHAT IS ARTIFICIAL INTELLIGENCE (AI)?

One of them, Poseidon, launched in mid-2024 and quickly became the dominant Mac stealer, responsible for 70% of infections. It can drain over 160 different cryptocurrency wallets, steal passwords from browsers and password managers and even grab VPN credentials.

At the same time, cybercriminals have doubled down on malvertising, using fake ads on Google and Bing to trick users into downloading malware instead of real software. These campaigns are highly targeted, allowing attackers to pinpoint Mac users and serve fake downloads based on their searches. With AI now being used to create and execute many of these attacks, they are likely to increase in scale.

4.3 MILLION AMERICANS EXPOSED IN MASSIVE HEALTH SAVINGS ACCOUNT DATA BREACH

While Mac malware is evolving, the situation on Android is even more alarming. Phishing attacks on the platform have reached staggering levels, with thousands of malicious apps designed to steal credentials and bypass security measures.

So far in 2024, researchers have detected 22,800 phishing-capable apps, alongside 3,900 apps designed to read OTPs from notification bars and 5,200 apps capable of extracting OTPs from SMS messages. These numbers highlight how widespread and effective Android phishing malware has become.

Just like phishing emails, phishing apps trick users into handing over their usernames, passwords and two-factor authentication codes. Once stolen, these credentials can be sold or used for fraud, identity theft or further cyberattacks. Because phishing apps require minimal code and fewer permissions than traditional malware, they are much easier to sneak onto app stores, including Google Play.

Many phishing apps look like regular, fully functional software. Some impersonate games or utilities, while others appear as cracked versions of popular apps like TikTok, WhatsApp or Spotify. Some stay dormant for days to avoid detection before launching their attacks. Others rely on ad functionality to redirect users to phishing sites, making the malicious code harder to trace.

Google Play Protect, which is built-in malware protection for Android devices, automatically removes known malware. However, it is important to note that Google Play Protect may not be enough. Historically, it isn't 100% foolproof at removing all known malware from Android devices.

GET FOX BUSINESS ON THE GO BY CLICKING HERE

MASSIVE SECURITY FLAW PUTS MOST POPULAR BROWSERS AT RISK ON MAC

Follow these essential tips to safeguard your devices from the latest malware threats, including the notorious info stealer malware.

1. Have strong antivirus software: The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices.

2. Be cautious with downloads and links: Only download software from reputable sources such as the Mac App Store, Google Play Store or official websites of trusted developers. Be wary of unsolicited emails or messages prompting you to download or install updates, especially if they contain links. Phishing attempts often disguise themselves as legitimate update notifications or urgent messages.

3. Keep your software updated: Ensure that both macOS, Android and all installed applications are up to date. Apple and Android frequently release security patches and updates that address vulnerabilities. Enable automatic updates for macOS, Android and your apps to stay protected without having to manually check for updates. If you need more help, see my guide on keeping all your devices updated.

4. Use strong and unique passwords: To protect your Mac from malware, it’s also crucial to use strong, unique passwords for all your accounts and devices. Avoid reusing passwords across different sites or services. A password manager can be incredibly helpful here. It generates and stores complex passwords for you, making them difficult for hackers to crack. 

It also keeps track of all your passwords in one place and automatically fills them in when you log into accounts, so you don’t have to remember them yourself. By reducing the number of passwords you need to recall, you’re less likely to reuse them, which lowers the risk of security breaches. Get more details about my best expert-reviewed Password Managers of 2025 here.

5. Use two-factor authentication (2FA): Enable 2FA for your important accounts, including your Apple ID, Google account, email and any financial services. This adds an extra step to the login process, making it harder for attackers to gain access even if they have your password.

HOW TO REMOVE YOUR PRIVATE DATA FROM THE INTERNET

The days when Mac users could assume they were safe are long gone. Cybercriminals are evolving their tactics, with Mac malware shifting from simple adware to advanced information stealers. Android phishing apps are also becoming harder to detect and more widespread than ever. From stealing passwords and authentication cookies to intercepting OTPs and draining cryptocurrency wallets, these threats are growing in both sophistication and scale. No platform is immune, and as cybercriminals continue refining their techniques, users and organizations must stay ahead with strong security measures.

Do you trust official app stores like the App Store and Google Play, or do you think they need to do more to prevent malware? Let us know by writing us at Cyberguy.com/Contact

For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter

Ask Kurt a question or let us know what stories you'd like us to cover

Follow Kurt on his social channels

Answers to the most asked CyberGuy questions:

New from Kurt:

Copyright 2025 CyberGuy.com.  All rights reserved.

Apple devices are believed to be pretty secure, and that's what the company will tell you. You might have seen the tagline "Privacy. That’s Apple." in their promotions. 

However, the tech landscape is changing, and even Apple products aren’t beyond cybercriminals’ reach. 

A new report suggests Mac users will need to be more vigilant this year because AI advancements are helping hackers breach even the most secure systems. I have consistently reported on how Mac malware is targeting users, and experts now believe this will only get worse.

STAY PROTECTED & INFORMED! GET SECURITY ALERTS & EXPERT TECH TIPS — SIGN UP FOR KURT’S THE CYBERGUY REPORT NOW

Mac malware is not what it used to be. For years, the biggest threats were annoying adware and browser hijackers, more of a nuisance than a real danger. But that is changing fast. As highlighted by Malwarebytes, a new wave of information stealers is taking over, and they are far more dangerous, going after passwords, authentication cookies, credit card details and even cryptocurrency.

This shift started in mid-2023 with the arrival of Atomic Stealer, also known as AMOS, a piece of malware that looked much more like something you would see on Windows than the typical Mac threats. AMOS was not just effective. It was easy to use and sold as a service  for $1,000 a month with a slick web-based control panel. That success led to the rise of even more dangerous variants.

WHAT IS ARTIFICIAL INTELLIGENCE (AI)?

One of them, Poseidon, launched in mid-2024 and quickly became the dominant Mac stealer, responsible for 70% of infections. It can drain over 160 different cryptocurrency wallets, steal passwords from browsers and password managers and even grab VPN credentials.

At the same time, cybercriminals have doubled down on malvertising, using fake ads on Google and Bing to trick users into downloading malware instead of real software. These campaigns are highly targeted, allowing attackers to pinpoint Mac users and serve fake downloads based on their searches. With AI now being used to create and execute many of these attacks, they are likely to increase in scale.

4.3 MILLION AMERICANS EXPOSED IN MASSIVE HEALTH SAVINGS ACCOUNT DATA BREACH

While Mac malware is evolving, the situation on Android is even more alarming. Phishing attacks on the platform have reached staggering levels, with thousands of malicious apps designed to steal credentials and bypass security measures.

So far in 2024, researchers have detected 22,800 phishing-capable apps, alongside 3,900 apps designed to read OTPs from notification bars and 5,200 apps capable of extracting OTPs from SMS messages. These numbers highlight how widespread and effective Android phishing malware has become.

Just like phishing emails, phishing apps trick users into handing over their usernames, passwords and two-factor authentication codes. Once stolen, these credentials can be sold or used for fraud, identity theft or further cyberattacks. Because phishing apps require minimal code and fewer permissions than traditional malware, they are much easier to sneak onto app stores, including Google Play.

Many phishing apps look like regular, fully functional software. Some impersonate games or utilities, while others appear as cracked versions of popular apps like TikTok, WhatsApp or Spotify. Some stay dormant for days to avoid detection before launching their attacks. Others rely on ad functionality to redirect users to phishing sites, making the malicious code harder to trace.

Google Play Protect, which is built-in malware protection for Android devices, automatically removes known malware. However, it is important to note that Google Play Protect may not be enough. Historically, it isn't 100% foolproof at removing all known malware from Android devices.

GET FOX BUSINESS ON THE GO BY CLICKING HERE

MASSIVE SECURITY FLAW PUTS MOST POPULAR BROWSERS AT RISK ON MAC

Follow these essential tips to safeguard your devices from the latest malware threats, including the notorious info stealer malware.

1. Have strong antivirus software: The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices.

2. Be cautious with downloads and links: Only download software from reputable sources such as the Mac App Store, Google Play Store or official websites of trusted developers. Be wary of unsolicited emails or messages prompting you to download or install updates, especially if they contain links. Phishing attempts often disguise themselves as legitimate update notifications or urgent messages.

3. Keep your software updated: Ensure that both macOS, Android and all installed applications are up to date. Apple and Android frequently release security patches and updates that address vulnerabilities. Enable automatic updates for macOS, Android and your apps to stay protected without having to manually check for updates. If you need more help, see my guide on keeping all your devices updated.

4. Use strong and unique passwords: To protect your Mac from malware, it’s also crucial to use strong, unique passwords for all your accounts and devices. Avoid reusing passwords across different sites or services. A password manager can be incredibly helpful here. It generates and stores complex passwords for you, making them difficult for hackers to crack. 

It also keeps track of all your passwords in one place and automatically fills them in when you log into accounts, so you don’t have to remember them yourself. By reducing the number of passwords you need to recall, you’re less likely to reuse them, which lowers the risk of security breaches. Get more details about my best expert-reviewed Password Managers of 2025 here.

5. Use two-factor authentication (2FA): Enable 2FA for your important accounts, including your Apple ID, Google account, email and any financial services. This adds an extra step to the login process, making it harder for attackers to gain access even if they have your password.

HOW TO REMOVE YOUR PRIVATE DATA FROM THE INTERNET

The days when Mac users could assume they were safe are long gone. Cybercriminals are evolving their tactics, with Mac malware shifting from simple adware to advanced information stealers. Android phishing apps are also becoming harder to detect and more widespread than ever. From stealing passwords and authentication cookies to intercepting OTPs and draining cryptocurrency wallets, these threats are growing in both sophistication and scale. No platform is immune, and as cybercriminals continue refining their techniques, users and organizations must stay ahead with strong security measures.

Do you trust official app stores like the App Store and Google Play, or do you think they need to do more to prevent malware? Let us know by writing us at Cyberguy.com/Contact

For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter

Ask Kurt a question or let us know what stories you'd like us to cover

Follow Kurt on his social channels

Answers to the most asked CyberGuy questions:

New from Kurt:

Copyright 2025 CyberGuy.com.  All rights reserved.