Cyber Criminals Exploit Trojanized Payment App to Steal NFC Data and Drain Accounts
Cybercriminals are exploiting a trojanized Android payment application to engage in alarming thefts of near field communication (NFC) data and personal identification numbers (PINs), enabling them to clone payment cards and empty victims’ accounts. This sinister development has caught the attention of cybersecurity experts, particularly those at ESET, who have issued warnings about a new variant of the well-known NGate malware.
This malicious variant has found its way into the legitimate HandyPay NFC-relay application, a tool originally designed for seamless communication between NFC-enabled devices. The malicious iteration of the app transfers NFC data directly to the attacker’s device, allowing for unlawful access and contactless cash withdrawals from ATMs.
The breadth of this campaign shows a disturbing trend; it is believed that artificial intelligence (AI) is being employed to facilitate these attacks. According to ESET researchers, evidence suggests that the threat actors used generative AI to trojanize HandyPay. The researchers indicated that emojis left in the logs are characteristic of AI-generated text, a finding that raises eyebrows regarding the sophistication of contemporary cybercrime.
Since November 2025, the campaign has predominantly targeted Android users in Brazil, using various distribution methods that include a fake lottery website and a counterfeit Google Play page. It is crucial to emphasize that this escalates the threat posed to users unfamiliar with the underlying dangers of downloading applications from unofficial sources.
The Mechanics of Deceit: A Legitimate App in Malicious Hands
ESET researchers highlight a significant shift in the methodology employed by the NGate operators. Instead of developing custom malware tools from ground zero, they have opted to repurpose existing applications, such as HandyPay, that require minimal permissions and integrate seamlessly into expected payment workflows. This strategy not only simplifies the attack process but also camouflages the malicious intent behind the application.
By injecting harmful code into an existing and seemingly benign NFC relay application, attackers can exploit functionalities already built into the software. An NFC relay app functions by capturing contactless communications from a card or device and relaying this data in real-time to another device, essentially extending short-range NFC signals over a broader network. This ease of operation affords cybercriminals the opportunity to carry out their exploits without causing alarm in users, as the app masquerades as a legitimate tool.
The methods of distribution for this malware raise red flags. Attackers have created a fake lottery site that mimics Brazil’s “Rio de Premios,” alongside a spoofed Google Play page that falsely advertises a “card protection” tool. Both avenues serve to ensnare unsuspecting victims who are lured by attractive offers.
AI’s Role in Modern Cyber Attacks
ESET’s findings delve deeper into the further complexities of modern cybercrime. Researchers observed distinctive markers within the malware that hinted at the involvement of generative AI in its coding. More specifically, the presence of emoji markers in debug logs is a peculiar trait, often associated with AI-generated output but rare in traditionally crafted malware. While the researchers stress that this observation does not provide concrete evidence, it does align with a growing trend where attackers are leveraging advanced language models to expedite the creation of malware.
Android systems currently have available mechanisms to help guard against such attack vectors, although these measures are incomplete. Victims are required to manually install the trojanized version of HandyPay since the app is not officially listed on Google Play. When users tap the download button via their web browsers, Android presents a security alert that blocks the installation and prompts the user to allow installations from unknown sources.
For the attack to unfold successfully, users must then navigate through several security prompts, enabling settings that permit such installations. While this process might seem routine for third-party application installations, it fails to offer adequate safeguards against this emerging threat.
To assist in counteracting this escalating problem, ESET has made available a comprehensive list of indicators through a dedicated GitHub repository. This resource includes essential information like files, hashes, network indicators, and MITRE ATT&CK maps aimed at supporting detection efforts within the cybersecurity community.
In a world where technology continually evolves, the devious tactics employed by cybercriminals also advance, requiring ongoing vigilance, awareness, and proactive measures from users and cybersecurity professionals alike. The recent actions involving the trojanized HandyPay app highlight the need for consumers to remain alert, educating themselves on the potential risks associated with downloading from unofficial sources, and adhering to best practices in digital security.