Android Users Warned About New NFC Malware Spread Through Trojanized Payment Apps

Post Views: 105

NFC Malware Targets Android Users Through Trojanized Payment App

A recently uncovered campaign is leveraging a trojanized version of the HandyPay app to target Android users in Brazil. The malicious application, attributed to the NGate malware family, allows attackers to relay NFC card data and execute contactless transactions, resulting in significant financial losses for victims.

The campaign, active since November 2025, utilizes two primary distribution vectors:

Distribution Vectors

Fake Website Impersonation: A fake website impersonates the Rio de Prêmios lottery, enticing visitors to participate in a rigged scratch-card game. Upon “winning” a prize of R$20,000, victims are prompted to tap their NFC-enabled device, which directs them to a fake Google Play webpage distributing the malware under the guise of “Card Protection.”
Victims can manually download the malicious application from the fake webpage.

Malicious Application Behavior

Once installed, the app requests permission to become the default NFC payment app, a feature present in the legitimate HandyPay application.
The app then prompts users to enter their payment card PIN and tap their card to the device, allowing the malware to relay NFC card data to an attacker-controlled device.
The victim’s PIN is exfiltrated separately over HTTP to a dedicated command-and-control server, independent of HandyPay’s infrastructure.

According to ESET research, the operators behind the campaign chose to trojanize the HandyPay app due to cost considerations. Licensing an existing malware-as-a-service offering would incur significant subscription fees, whereas the legitimate HandyPay app requires only a €9.99 monthly donation.

AI Involvement

ESET research suggests that the malware was likely produced with GenAI assistance, indicated by emojis in log strings.
Definitive proof of AI involvement remains elusive, but researchers assess that the malware was likely produced with GenAI assistance.

This campaign highlights the growing sophistication of NFC-based payment fraud and the importance of vigilance in the face of increasingly complex threats.

Prevention Measures

Vigilance is key when dealing with unfamiliar applications and websites.
Be cautious of suspicious pop-ups and downloads.
Always verify the authenticity of websites and applications before using them.

ESET has notified Google through the App Defense Alliance and contacted the HandyPay developer directly, who confirmed an internal investigation is underway.

According to logs from four compromised devices on the attacker’s C2 server, all geolocated in Brazil, captured PINs, IP addresses, and timestamps were obtained.

As the use of AI in malicious activities continues to evolve, defenders must stay alert to emerging trends and technologies to protect against these evolving threats.