A new wave of cybercrime targeting mobile payment systems has emerged, with attackers exploiting near field communication technology to steal sensitive financial data. Security researchers have identified a campaign in which cyber criminals are using a modified Android application to capture payment card details and PINs, enabling fraudulent transactions and unauthorized ATM withdrawals. The activity has raised concerns over the growing risks associated with contactless payment systems and third party mobile applications.
According to findings by ESET researchers, a variant of the NGate malware has been integrated into a trojanized version of the HandyPay application, which is originally designed to relay NFC data between devices. By embedding malicious code into a legitimate tool, attackers are able to intercept and transmit NFC communication from victims’ payment cards to devices controlled by them. This allows threat actors to effectively clone payment cards and carry out contactless ATM cash outs without physical access to the original card. The campaign has reportedly been active since November 2025 and is primarily targeting Android users in Brazil through deceptive distribution methods, including fake lottery websites impersonating Rio de Premios and spoofed pages resembling Google Play that promote a so called card protection application.
The technique marks a shift in strategy, as attackers move away from building custom malware tools and instead repurpose existing applications that already contain the required functionality. HandyPay, which normally operates as an NFC relay application, requires minimal permissions and functions within expected payment workflows, making it less likely to raise suspicion among users. This allows the malicious activity to remain concealed while performing real time data transfers. NFC relay tools are capable of capturing contactless communication and extending it over a network, effectively bypassing the short range limitation of NFC technology. By leveraging such capabilities, attackers gain the ability to remotely use stolen card data in financial transactions. Researchers noted that this approach builds on earlier abuse of similar tools such as NFCGate but demonstrates a more refined method by embedding threats into legitimate software environments.
Additional observations from researchers suggest that artificial intelligence may have played a role in the development of the malware. Debug logs within the malicious code include emoji markers that are commonly associated with AI generated outputs, indicating the possible use of generative AI tools during the trojanization process. While not definitive, this detail aligns with a broader pattern of cybercriminals adopting advanced technologies to accelerate the creation and deployment of threats. Despite existing safeguards in Android devices, including warnings when installing applications from unknown sources, the attack relies heavily on user interaction. Victims must manually allow installation from external sources after being prompted, a process that has become increasingly common and may not immediately appear suspicious. This combination of social engineering and technical manipulation highlights the evolving nature of mobile based financial threats and underscores the importance of vigilance when installing applications outside official platforms.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
