New Prilex Malware Blocks Contactless Payments

Prilex is indeed a single threat actor that transformed from malware targeted at ATMs into distinctive modular point-of-sale (PoS) malware. Prilex has resurfaced with new upgrades that allow it to block contactless payment transactions.

This is extremely sophisticated malware that uses a special cryptographic technique, patches target software in real-time, forces protocol downgrades, manipulates with cryptograms, performs GHOST transactions, and commits credit card fraud—even on cards protected by unhackable CHIP and PIN technology.

Credit and debit cards, key fobs, smart cards, and other devices are included in contactless payment systems. 

Near-field communication (NFC), which is used by Samsung Pay, Apple Pay, Google Pay, Fitbit Pay, and any other bank mobile application that supports contactless payments, is also a component of these systems.


According to the Kaspersky report, the embedded integrated circuit chip and antenna enable consumers to pay by waving their card, fob, or handheld device over a reader at a point-of-sale terminal.

“Contactless payments are made in close physical proximity, unlike other types of mobile payments that use broad-area cellular or WiFi networks and do not require close physical proximity”, Kaspersky.

Following the Prilex PoS malware closely, Kaspersky claims to have discovered at least three new variations with the version numbers 06.03.8070, 06.03.8072, and 06.03.8080, which were initially made available in November 2022.

The COVID-19 pandemic and other factors have made contactless payments quite popular, but the real purpose of this new functionality is to disable the feature and make the user insert the card into the PIN pad.

“Prilex now implements a rule-based file that specifies whether or not to capture credit card information and an option to block NFC-based transactions”, Kaspersky researchers.

Excerpt from a Prilex rules file referencing NFC blocking
Excerpt from Prilex rules file referencing NFC blocking
Prilex-generated error on the PoS

When the new Prilex feature is turned on, contactless transactions are blocked, and the payment terminal displays the message “Contactless error, insert your card.”

This makes it simpler to obtain the card information through the payment terminal because it forces the victim to complete the transaction by inserting a credit card.

“The goal here is to force the victim to use their physical card by inserting it into the PIN pad reader, so the malware will be able to capture the data coming from the transaction by using all the techniques such as manipulating cryptograms and performing a GHOST attack”, researchers explain.

The option to filter unwanted cards and only collect data from particular providers and tiers is another interesting feature that can be found for the first time on the most recent Prilex variations.

“These [filtering] rules can block NFC and capture card data only if the card is a Black/Infinite, Corporate or another tier with a high transaction limit, which is much more attractive than standard credit cards with a low balance/limit”, researchers

It is obvious that Prilex needs to force victims to insert the card into the compromised PoS terminal because the transaction data created during a contactless payment are meaningless from a cyber criminal’s perspective.

Network Security Checklist – Download Free E-Book