HackWatch
! High riskMW Malware

Hackers Exploit Trojanized NFC Tap-to-Pay App to Clone Cards and Drain Accounts

Malware coverage focused on infection paths, containment steps and indicators defenders should watch.

Malware activity flagged. Isolate affected systems, preserve logs and block persistence or command-and-control channels before recovery.
Hackers Exploit Trojanized NFC Tap-to-Pay App to Clone Cards and Drain Accounts - HackWatch malware alert image
HackWatch malware alert image for: Hackers Exploit Trojanized NFC Tap-to-Pay App to Clone Cards and Drain Accounts
Marcin Pocztowski

Infrastructure Security Editor

Marcin Pocztowski

Infrastructure and Vulnerability Response

By: Artur Ślesik

Published: Apr 21, 2026

Updated: May 01, 2026

Incident status: Active threat

Corroborating sources: 3

Technical review credentials: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.

The published article is checked against public sources before publication, and material corrections are reflected in the article update date.

Technical reviewer note: Marcin Pocztowski reviewed this alert on May 01, 2026 for infrastructure impact, containment order and whether persistence or lateral-movement claims are supported by evidence. His administrator note is concrete: isolate the host or segment first, protect logs and network telemetry, then rebuild, rotate or patch only within the scope supported by the 3 corroborating sources, the same cautious sequence he would use around managed router and server environments.

Review our editorial policy or send corrections to [email protected].

Active threat. The incident should still be treated as active until confirmed mitigation or patch adoption is verified.

A sophisticated cybercrime campaign targeting Android users in Brazil has been uncovered, where hackers trojanize a legitimate NFC-relay payment app, HandyPay, to steal NFC payment data and PINs. The attack leverages AI-assisted malware development and social engineering via fake lottery and Google Play sites to enable contactless ATM cash-outs.

What happened

Cybercriminals have launched a high-risk campaign abusing a trojanized version of the HandyPay NFC-relay Android app to steal near field communication (NFC) payment data and PINs. This attack enables cloning of contactless payment cards and unauthorized draining of victim bank accounts via contactless ATM cash-outs.

According to ESET researchers, the NGate malware operators have shifted tactics from building custom tools to injecting malicious code into a legitimate NFC payment app, HandyPay, to stealthily capture and relay NFC data to attackers’ devices. The campaign has been active since November 2025, primarily targeting Android users in Brazil through fake lottery websites and spoofed Google Play pages.

Researchers also suspect the use of generative AI in the malware’s creation, evidenced by emoji markers in debug logs—an unusual signature for human-written malware—indicating how AI is accelerating malware development.

Confirmed facts

  • Malware Variant: A new NGate malware variant is embedded in the HandyPay app, which normally functions as an NFC-relay tool.
  • Attack Vector: Trojanized HandyPay is distributed via fake lottery sites impersonating Brazil’s “Rio de Premios” and fake Google Play pages advertising “card protection” tools.
  • Target Platform: Android devices, specifically those outside the Google Play ecosystem where users manually install APKs.
  • Attack Method: The app captures NFC communication from payment cards and relays it in real-time to attackers, enabling cloning and unauthorized transactions.
  • AI Involvement: Debug logs contain emoji markers typical of AI-generated code, suggesting generative AI was used in malware development.
  • User Interaction: For infection, users must manually enable installation from unknown sources, a common but risky practice.
  • Detection and Defense: Android’s built-in security prompts warn users during installation, but the workflow does not strongly deter users from enabling the required permissions.
  • Indicators of Compromise: ESET published hashes, network indicators, and MITRE ATT&CK mappings on GitHub to aid detection.

Who is affected

  • Primary Victims: Android users in Brazil who install apps outside the official Google Play Store, especially those enticed by fake lottery or card protection offers.
  • Financial Impact: Victims face cloned payment cards and unauthorized ATM withdrawals, leading to direct financial losses.
  • Broader Risk: Any NFC payment user who downloads unofficial apps or enables installation from unknown sources is at risk.

What to do now

  1. Avoid Installing Apps from Unofficial Sources: Do not download APKs from websites, especially those mimicking lotteries or financial services.
  2. Verify App Authenticity: Only install NFC-related apps from trusted developers via official app stores.
  3. Check Installed Apps: Review your Android device for unauthorized apps, particularly any versions of HandyPay or unfamiliar payment apps.
  4. Monitor Bank Statements: Regularly check for suspicious transactions and report them immediately to your bank.
  5. Use Bank Alerts: Enable transaction alerts via SMS or app notifications to detect unauthorized activity promptly.
  6. Update Device Security Settings: Disable “Install from unknown sources” unless absolutely necessary and re-disable it after use.

How to secure yourself

  • Use Official Payment Apps: Stick to NFC payment apps vetted by Google Play Protect and your bank.
  • Enable Multi-Factor Authentication (MFA): Protect your banking and payment accounts with MFA to prevent unauthorized access.
  • Keep Software Updated: Regularly update your Android OS and apps to patch vulnerabilities.
  • Use Security Software: Install reputable mobile security solutions that can detect trojanized apps and malware.
  • Be Wary of Social Engineering: Avoid clicking on suspicious links or downloading apps from unsolicited messages or websites.
  • Regularly Review App Permissions: Limit NFC and payment-related permissions to trusted apps only.

FAQ

How does the trojanized HandyPay app steal my NFC data?

The malicious version of HandyPay captures NFC signals from your payment card and relays them in real-time to attackers, who then clone your card and perform unauthorized transactions.

Can this attack happen if I only use official app stores?

Currently, the trojanized app is distributed outside Google Play, so users who only install apps from official stores are less at risk. However, vigilance is still necessary.

What role does AI play in this malware?

Researchers found emoji markers in the malware’s debug logs, suggesting generative AI tools were used to write or assist in creating the malicious code.

How can I tell if I’ve been infected?

Look for unknown apps like HandyPay installed outside the Play Store, unusual NFC activity, or unauthorized bank transactions. Security tools can help detect infections.

What should I do if I suspect my card is cloned?

Immediately contact your bank to report the fraud, freeze or cancel your card, and monitor your accounts for further suspicious activity.

Is this attack limited to Brazil?

Currently, the campaign targets Brazilian Android users, but similar tactics could spread globally.

Does Android have protections against this malware?

Android warns users about installing apps from unknown sources but cannot fully block side-loading if users override security prompts.

How can banks protect customers from this threat?

Banks can implement enhanced transaction monitoring, require PIN verification for contactless withdrawals, and educate customers on app installation risks.

What is an NFC-relay app?

It’s an app that captures NFC signals from a card or device and forwards them over a network, extending the short-range NFC communication for remote use.

Are other payment methods at risk?

While this attack targets NFC payments, all digital payment methods require vigilance against malware and phishing.

Why this matters

This campaign highlights a dangerous evolution in mobile payment fraud where attackers leverage legitimate apps to bypass security controls, combined with AI-assisted malware development to accelerate attacks. The exploitation of NFC technology, widely adopted for contactless payments, threatens financial security on a large scale. Users’ willingness to sideload apps and the limitations of current mobile OS protections create fertile ground for such sophisticated fraud. Understanding this threat is critical for consumers, financial institutions, and cybersecurity professionals to adapt defenses and reduce financial losses.

Sources and corroboration

This article synthesizes findings primarily from ESET researchers as reported by CSO Online on April 22, 2026. The information is corroborated by technical analysis shared on ESET’s GitHub repository, including malware hashes, network indicators, and MITRE ATT&CK mappings. Additional insights into AI’s role in malware development and Android security measures are integrated from cybersecurity expert commentary and official Android documentation.

  • https://www.csoonline.com/article/4161983/nfc-tap-to-pay-gets-tapped-by-hackers.html
  • https://github.com/eset/malware-ioc/tree/main/NGate_HandyPay

Sources used for this article

infosecurity-magazine.com, welivesecurity.com, csoonline.com

Artur Ślesik

Real reviewer profile

Artur Ślesik

Founder of HackWatch.io and WEB-NET; Editorial Reviewer

Open reviewer profile

Artur Ślesik is the founder of HackWatch.io and WEB-NET, a real named reviewer with 17+ years of experience building and maintaining web portals.

Coverage focus: Secure web portals, phishing prevention, user-facing recovery guides and practical web-security review

Editorial disclosure: This is a real named founder profile. HackWatch does not claim unverified security certifications, SOC employment history or CERT incident-response credentials for Artur. Security guidance is grounded in public sources, HackWatch tooling and first-hand web-portal experience.

Artur leads this malware alerts coverage lane at HackWatch. This article is maintained as part of the ongoing editorial watch around "Hackers Exploit Trojanized NFC Tap-to-Pay App to Clone Cards and Drain Accounts".

Secure web portals and publishing operationsPhishing prevention and account-safety guidanceUser-facing recovery playbooks