I mean, this is "malware" in the obvious sense.
But it's not compromising anything Android is doing. (Though it's worth noting that things like this are why Apple restricts NFC).
It's just phishing at the end of the day. Something you should make users aware of, but not a security flaw of the device.