{"id":16126,"date":"2026-04-22T11:41:30","date_gmt":"2026-04-22T11:41:30","guid":{"rendered":"https:\/\/newestek.com\/?p=16126"},"modified":"2026-04-22T11:41:30","modified_gmt":"2026-04-22T11:41:30","slug":"nfc-tap-to-pay-gets-tapped-by-hackers","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=16126","title":{"rendered":"NFC tap-to-pay gets tapped by hackers"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Cyber crooks are abusing a trojanized Android payment application to steal near field communication (NFC) data and PINs, enabling cloning of payment cards and draining victim accounts.<\/p>\n

According to ESET researchers, a new variant of the NGate<\/a> malware has been infused into the HandyPay NFC-relay application to transfer NFC data to the attacker\u2019s device and use it for contactless ATM cash-outs.<\/p>\n

Use of AI is suspected in the campaign. \u201cTo trojanize HandyPay, threat actors most probably used GenAI, indicated by emoji left in the logs that are typical of AI-generated text,\u201c the researchers said in a blog post<\/a>.<\/p>\n

The campaign has been distributing two malware samples, through a fake lottery website and a fake Google Play website, in attacks targeting Android users in Brazil since November 2025.<\/p>\n

<\/a>Legit app doing the dirty work<\/h2>\n

ESET researchers pointed out that the campaign marks NGate operators shifting from custom tooling to a trojanized legitimate application. HandyPay, originally designed to relay NFC data between devices, is being used to require minimal permissions and blend into expected payment workflows.<\/p>\n

This approach avoids building custom tooling from scratch, previously seen with the NFCGate<\/a> abuse, and instead adds malicious code into an existing NFC-capable app. By repurposing an NFC relay app, the attackers inherit functionality that already handles the core data exchange, the researchers noted.<\/p>\n

An NFC-relay app is a tool that captures contactless communication from a card or device and forwards it in real time to another device, extending the short-range Near Field Communication<\/a> signal over a network for remote use.<\/p>\n

Because the app operates within expected NFC workflows, it is easier for attackers to mask the attack.<\/p>\n

The distribution channels include a fake lottery site impersonating Brazil\u2019s \u201cRio de Premios,\u201d and a spoofed Google Play page advertising a \u201ccard protection\u201d tool.<\/p>\n

<\/a>AI was likely used<\/h2>\n

ESET researchers also spotted something unusual in the malware\u2019s internals. Some traces suggested generative AI may have played a role in its development.<\/p>\n

Specifically, the injected malicious code contains emoji markers in debug logs, something more commonly associated with AI-generated output than human-written malware. The researchers noted that this isn\u2019t definitive proof but aligns with a broader trend of attackers using large language models to accelerate<\/a> malware creation.<\/p>\n

Android presently has some protection against this attack vector in the form of security alerts. \u201cThe victim needs to manually install a trojanized version of HandyPay, since the app is only available outside Google Play,\u201d the researchers said. \u201cWhen a user taps the download app button in their browser, Android automatically blocks the install and shows a prompt asking them to allow installation from this source.\u201d<\/p>\n

For the attack to be successful, the user then needs to tap Settings in the prompt, enable \u201cAllow from this source,\u201d and return to installing the app, a process quite common with third-party app installation these days. Nothing particularly suspicious stands out in the \u201callow download\u201d workflow to protect against this threat.<\/p>\n

ESET shared a list of indicators in a dedicated GitHub repository<\/a>, which included files, hashes, network indicators, and MITRE ATT&CK maps to support detection efforts.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Cyber crooks are abusing a trojanized Android payment application to steal near field communication (NFC) data and PINs, enabling cloning of payment cards and draining victim accounts. According to ESET researchers, a new variant of the NGate malware has been infused into the HandyPay NFC-relay application to transfer NFC data to the attacker\u2019s device and use it for contactless ATM cash-outs. Use of AI is… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16126","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16126","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16126"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16126\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16126"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16126"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16126"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}