How does the VIPER malicious NFC application capture physical credit card data?

VIPER abuses Android's legitimate Host Card Emulation (HCE) and NFC polling APIs. When a physical contactless payment card is placed within close proximity of an infected Android smartphone, the malware reads and extracts Track 1 and Track 2 payment card data (including the PAN and expiration date) without the user's consent.

Can VIPER bypass the official Google Play Store protections?

Yes. VIPER is not distributed through the official Google Play Store. Instead, threat actors distribute the malware as a standalone APK file through social engineering tactics like smishing (SMS phishing) or rogue messaging apps, requiring the user to manually sideload the application.

Back to Threat Intelligence

malwarehigh

Alleged Sale of VIPER Malicious NFC App on Dark Web

A newly discovered malicious Android application named VIPER is being sold on dark web cybercrime forums. This mobile tool abuses legitimate NFC APIs to scan, capture, and clone physical credit card data, operating invisibly in the background with automatic persistence.

Published: June 26, 2026Source date: June 23, 2026Check your domain

Alleged Sale of VIPER Malicious NFC App on Dark Web

VIPER Malicious NFC App Threat Level

High-risk Android threat leveraging Host Card Emulation to harvest physical contactless card records.

0.0

/ 10.0 custom

High Risk

Adversary Profile: ViperSoftwares

ViperSoftwares

aka Viper Rat

Origin: Underground Forums (CrackingX, Niflheim World, Forumteam.Bet)
Motivation: Financial Gain
Targets: Android Mobile DevicesContactless EMV Credit/Debit Cards
TTPs: Abuse of legitimate NFC/HCE APIsBoot persistence via broadcast receiversLauncher icon concealment

VIPER Threat Lifecycle & Attack Chain

1Initial Accessmedium
Social engineering via SMS/WhatsApp links leading to sideloaded custom APKs.
medium
2Execution & Permissionshigh
Manual installation requesting NFC access and boot-completion broadcast receiver registration.
high
3Stealth Modelow
Launcher icon is hidden immediately after execution to run invisibly as a background service.
low
4NFC Harvestingcritical
Device scans physical credit/debit cards within proximity, extracting Track 1 & Track 2 EMV records.
critical
5Exfiltrationcritical
Harvested cards are cached and transmitted over encrypted channels to the actor's admin panel.
critical

MITRE ATT&CK Mobile Matrix Mapping for VIPER

Persistence

T1624.001

Event Triggered Execution: Broadcast Receivers

Credential Access

T1636

Credentials from Mobile Devices / Card Data

Defense Evasion

T1406

Obfuscated Files or Information

Command and Control

T1573

Encrypted Channel

VIPER Threat Identifiers & Indicators of Compromise

domain
viperrat.com
Historical developer command-and-control domain
domain
viperrat.com
Historical developer command-and-control domain
email
@Viperratsupport
Threat actor support handle on Telegram
email
@Viperratsupport
Threat actor support handle on Telegram
email
@Vipersoftwares
Threat actor channel handle on Telegram
email
@Vipersoftwares
Threat actor channel handle on Telegram
url
CrackingX
Cybercrime forum of threat actor activity
url
CrackingX
Cybercrime forum of threat actor activity
url
Niflheim World
Cybercrime forum of threat actor activity
url
Niflheim World
Cybercrime forum of threat actor activity
url
Forumteam.Bet
Cybercrime forum of threat actor activity
url
Forumteam.Bet
Cybercrime forum of threat actor activity

VIPER Malicious NFC App Sold on Cybercrime Forums | Femto Security Threat Intelligence

Alleged Sale of VIPER Malicious NFC App on Dark Web

Alleged Sale of VIPER Malicious NFC App on Dark Web

Key Takeaways

VIPER Malicious NFC App Threat Level

Adversary Profile: ViperSoftwares

VIPER Threat Lifecycle & Attack Chain

MITRE ATT&CK Mobile Matrix Mapping for VIPER

VIPER Threat Identifiers & Indicators of Compromise

How to Defend Against Similar Threats

Threat Intel FAQ

Could a similar threat affect your organization?