Android scam app sharpens NFC theft

Cyber criminals are using a tampered Android app to steal payment card data and PINs in a campaign that marks a more aggressive phase in near-field communication fraud, with the latest NGate malware variant targeting users in Brazil and enabling both unauthorised payments and cash withdrawals at contactless ATMs. The newly identified strain hides inside a doctored version of HandyPay, a legitimate NFC relay application, and appears to have been active since November 2025.

The operation represents a notable shift in how NGate is being deployed. Earlier versions of the malware family, first documented in 2024, relied on the NFCGate tool to relay card data from a victim’s handset to an attacker-controlled device. The new version instead abuses HandyPay, suggesting the operators are refining their methods to blend malicious code into software with a plausible use case. ESET said the altered app was never available on the official Google Play store, even though the legitimate HandyPay app itself has been publicly available.

At the centre of the scheme is NFC relay fraud, a technique that allows attackers to capture data from a victim’s physical payment card and transmit it to another device. That second device can then emulate the original card at an ATM or payment terminal. What makes the new campaign more dangerous is the added theft of PIN codes, which widens the scope from tap-to-pay abuse to contactless cash-out fraud. Researchers said the malware exfiltrates both card data and PINs to a command-and-control server, giving operators enough information to attempt withdrawals and purchases with limited physical access to the victim.

ADVERTISEMENT

The Brazil-focused campaign appears to rely heavily on social engineering rather than a technical exploit alone. Two malware samples examined by researchers were distributed through bogus websites: one impersonated a lottery platform and another mimicked Google Play while promoting what looked like a card protection app. Both sites were hosted on the same domain, pointing to a single actor or tightly linked operators. That distribution method fits a broader pattern in mobile financial fraud, where convincing lures and fake app pages are doing as much of the work as the malware itself.

There is also a new and unusual wrinkle in the coding of the malicious app. ESET said indicators in the logs, including emoji associated with auto-generated text, suggest the malware patching may have been assisted by generative AI. That does not mean the entire operation was automated, nor does it change the core fraud model, but it points to a lower barrier for modifying legitimate software into criminal tools. For defenders, that matters because it could accelerate copycat campaigns and shorten the time between the release of a lawful app and the appearance of a weaponised clone.

The emergence of Brazil as a focal point is consistent with a wider rise in Android NFC threats. In its H2 2025 threat report, ESET said detections of NFC-abusing Android malware rose 87 per cent between the first and second halves of 2025. The company described Brazil as a growing hotspot, with fraud groups combining NFC abuse, banking trojan functions and more polished impersonation tactics. That broader trend matters because NGate is no longer an isolated experiment. It is part of an expanding ecosystem of mobile threats built around contactless payments, identity deception and rapid adaptation to local banking habits.

The malware family already had a troubling pedigree before this latest variant surfaced. The first public NGate campaign, uncovered in 2024, targeted customers of three banks in Czechia and was described as the first known Android malware seen in the wild relaying NFC traffic for ATM theft. That earlier campaign showed attackers could combine phishing, fake banking pages and card-data relaying without requiring victims to root their phones. The new Brazil operation suggests the concept has moved from a novel criminal technique to a reusable playbook that can be localised for different markets.



Notice an issue?

Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com. We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.


ADVERTISEMENT
Social Media Auto Publish Powered By : XYZScripts.com
Just in:
Paymentology and T2P partner to accelerate the future of card issuing in Thailand // A SIM Guide to Comparing Graduate Salaries and Employability in Singapore // CyCraft Named a Sample Provider in the Gartner® Latest AI Reasoning Models Report—The Only Taiwan-Based Cybersecurity Provider Listed // Alessio Vinassa: ‘Generative AI Is the Most Important Creative Tool Since the Camera — and the Most Misunderstood’ // US missiles disable tanker bound for Iran // Gadkari’s Ethanol Defence Is Losing The Public Argument // Revolut clears first hurdle for Dubai crypto launch // TrendAI™ Named a Champion for the Fourth Consecutive Year in Omdia’s Global Cybersecurity Platform Ecosystems Leadership Matrix 2026 // Central & Western District Youth-to-Career Explo Connects Hong Kong Youth to Future Careers in AI Era // DITP Launches THAI SELECT Festival 2026 in New York to Strengthen U.S. Market Opportunities for Thailand’s Food Industry // Guardian Fire expands Midwest reach with Nebraska deal // Dealing.com claims record for tokenised stock access // Inflation In India Rising Sharply Since January 2026, Highest In June // Launch ceremony of third edition of Hong Kong Fashion Fest Held on July 9 // EU prosecutors examine subsidies linked to Babiš // Xsolla and Management and Science University (MSU) Sign Memorandum of Understanding (MOU) to Connect Future Game Developers With Global Commercial Opportunities // “Achievements of National Aerospace Endeavours” Thematic Exhibition Makes First Stop at Hong Kong Science Park // Trump scraps Hormuz levy but tightens Iran blockade // Fynd brings AI fashion platform to Gulf // Dubai weighs turning organic waste into aviation fuel //