Android scam app sharpens NFC theft

Cyber criminals are using a tampered Android app to steal payment card data and PINs in a campaign that marks a more aggressive phase in near-field communication fraud, with the latest NGate malware variant targeting users in Brazil and enabling both unauthorised payments and cash withdrawals at contactless ATMs. The newly identified strain hides inside a doctored version of HandyPay, a legitimate NFC relay application, and appears to have been active since November 2025.

The operation represents a notable shift in how NGate is being deployed. Earlier versions of the malware family, first documented in 2024, relied on the NFCGate tool to relay card data from a victim’s handset to an attacker-controlled device. The new version instead abuses HandyPay, suggesting the operators are refining their methods to blend malicious code into software with a plausible use case. ESET said the altered app was never available on the official Google Play store, even though the legitimate HandyPay app itself has been publicly available.

At the centre of the scheme is NFC relay fraud, a technique that allows attackers to capture data from a victim’s physical payment card and transmit it to another device. That second device can then emulate the original card at an ATM or payment terminal. What makes the new campaign more dangerous is the added theft of PIN codes, which widens the scope from tap-to-pay abuse to contactless cash-out fraud. Researchers said the malware exfiltrates both card data and PINs to a command-and-control server, giving operators enough information to attempt withdrawals and purchases with limited physical access to the victim.

The Brazil-focused campaign appears to rely heavily on social engineering rather than a technical exploit alone. Two malware samples examined by researchers were distributed through bogus websites: one impersonated a lottery platform and another mimicked Google Play while promoting what looked like a card protection app. Both sites were hosted on the same domain, pointing to a single actor or tightly linked operators. That distribution method fits a broader pattern in mobile financial fraud, where convincing lures and fake app pages are doing as much of the work as the malware itself.

There is also a new and unusual wrinkle in the coding of the malicious app. ESET said indicators in the logs, including emoji associated with auto-generated text, suggest the malware patching may have been assisted by generative AI. That does not mean the entire operation was automated, nor does it change the core fraud model, but it points to a lower barrier for modifying legitimate software into criminal tools. For defenders, that matters because it could accelerate copycat campaigns and shorten the time between the release of a lawful app and the appearance of a weaponised clone.

The emergence of Brazil as a focal point is consistent with a wider rise in Android NFC threats. In its H2 2025 threat report, ESET said detections of NFC-abusing Android malware rose 87 per cent between the first and second halves of 2025. The company described Brazil as a growing hotspot, with fraud groups combining NFC abuse, banking trojan functions and more polished impersonation tactics. That broader trend matters because NGate is no longer an isolated experiment. It is part of an expanding ecosystem of mobile threats built around contactless payments, identity deception and rapid adaptation to local banking habits.

The malware family already had a troubling pedigree before this latest variant surfaced. The first public NGate campaign, uncovered in 2024, targeted customers of three banks in Czechia and was described as the first known Android malware seen in the wild relaying NFC traffic for ATM theft. That earlier campaign showed attackers could combine phishing, fake banking pages and card-data relaying without requiring victims to root their phones. The new Brazil operation suggests the concept has moved from a novel criminal technique to a reusable playbook that can be localised for different markets.