Attackers are abusing a modified Android NFC app to steal payment card data and PINs for contactless fraud and ATM cash-outs.

CSO Online offers insights into cybersecurity, risk management, and IT leadership, providing articles, reports, and expert analysis to help security professionals navigate the evolving threat landscape and protect their organizations from cyber attacks. By exploring CSO Online's curated content, CISOs, security managers, and IT executives can learn about threat intelligence, security frameworks, and incident response strategies for building resilient cybersecurity programs. Whether you're defending against ransomware, phishing attacks, or insider threats, CSO Online offers resources to strengthen your security posture and safeguard your digital assets.

CSO Online

A new variant of the NGate Android malware has been embedded into the legitimate HandyPay NFC relay app to steal contactless payment card data and PINs. Distributed via a fake lottery site and a spoofed Google Play page targeting Brazilian users since November 2025, the trojanized app relays NFC data to attackers for contactless fraud and ATM cash-outs. ESET researchers suspect generative AI was used in development, evidenced by emoji markers in debug logs. The attack requires victims to sideload the app outside Google Play, bypassing Android's built-in install warnings.

NFC tap-to-pay gets tapped by hackers