CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

PhantomCard Android Trojan Targets Brazilian Banking Customers via NFC Relay Attacks

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

A new variant of the NGate malware family is leveraging a trojanized version of the HandyPay NFC relay app to capture payment card data and PINs from Brazilian Android users since November 2025. The malicious HandyPay app is distributed via phishing domains impersonating a Brazilian lottery site and a Google Play listing for a card protection tool. Once installed, the app relays NFC payment card data to attacker-controlled devices, enabling fraudulent contactless transactions and ATM withdrawals. Unlike earlier NGate variants that relied on open-source tools like NFCGate, this campaign uses a modified version of HandyPay to avoid detection and requires minimal permissions beyond default payment app status. PhantomCard and related NFC relay malware families have expanded their tactics in Brazil, with NGate variants now using trojanized HandyPay to exfiltrate stolen NFC data to attacker-controlled email addresses. The malware is distributed via fake apps like 'Proteção Cartão' on fake Google Play pages and through fake lottery scams via WhatsApp. ESET researchers attribute the shift from NFCGate to HandyPay to cost and evasion benefits, as HandyPay is significantly cheaper and does not require special permissions. Evidence suggests the malicious code may have been partially generated using generative AI tools, indicated by emoji markers in debug logs.

Timeline

  1. 14.08.2025 14:06 3 articles · 8mo ago

    PhantomCard Android Trojan Targets Brazilian Banking Customers via NFC Relay Attacks

    ESET researchers identify a new NGate malware campaign leveraging a trojanized version of the HandyPay NFC relay app to capture payment card data and PINs from Brazilian Android users since November 2025. The malicious HandyPay app is distributed via phishing domains impersonating a Brazilian lottery site and a Google Play listing for a card protection tool. Once installed, the app relays NFC payment card data to attacker-controlled devices, enabling fraudulent contactless transactions and ATM withdrawals. Unlike earlier NGate variants that relied on open-source tools like NFCGate, this campaign uses a modified version of HandyPay to avoid detection and requires minimal permissions beyond default payment app status. Google Play Protect detects known versions of the malware, and the HandyPay developer has been notified and is investigating the misuse of its application. Evidence suggests the malicious code may have been partially generated using generative AI tools, indicated by emoji markers in debug logs.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Malicious Ledger Live macOS app on Apple App Store facilitates $9.5M crypto theft via seed phrase harvesting

A fraudulent Ledger Live macOS application, distributed through Apple’s App Store under the publisher name ‘Leva Heal Limited,’ compromised approximately 50 users between April 8–11, 2026, resulting in the theft of $9.5 million in cryptocurrency assets. The illicit app tricked users into entering seed phrases, granting attackers full wallet control and enabling fund transfers to attacker-controlled addresses. The incident is part of the broader Apple App Store infiltration campaign dubbed FakeWallet, linked to the SparkKitty operation and active since at least fall 2025. Kaspersky identified 26 malicious apps impersonating major wallets (e.g., Ledger, MetaMask, Coinbase) to steal seed phrases and drain crypto assets, with malware delivered via libraries or injected code. Some apps contained latent malicious features awaiting future activation, and the campaign’s modules lacked regional restrictions despite initial targeting of Chinese-speaking users. Apple began removing malicious apps after Kaspersky’s disclosure, freezing implicated KuCoin accounts until April 20, 2026.

Open in new tab

Six Android Malware Families Target Pix, Banking Apps, and Crypto Wallets

Six Android malware families continue to target Pix payments, banking apps, and cryptocurrency wallets, with Mirax expanding its capabilities beyond financial theft. The Mirax trojan now integrates residential proxy functionality, enabling attackers to route malicious traffic through compromised devices and evade geographic restrictions. Mirax, previously identified as a banking trojan offered through a malware-as-a-service ecosystem, now operates under a restricted MaaS model targeting Spanish-speaking users with campaigns exceeding 200,000 accounts via social media advertisements. It provides full real-time device control, dynamic fake overlays fetched from C2 servers, and surveillance features including keylogging and lock screen detail collection. Distribution relies on social engineering via illegal streaming app promotions, with malware hosted on GitHub and device evasion techniques. Compromised devices are repurposed as residential proxies for broader cybercriminal activities, including account takeovers and anonymized network attacks.

Open in new tab

BeatBanker Android malware targets users with Starlink app disguise

A new Android malware named BeatBanker impersonates a Starlink app to hijack devices. It combines banking trojan functions with Monero mining, stealing credentials and tampering with cryptocurrency transactions. The malware is distributed via fake Google Play Store websites and uses sophisticated evasion techniques, including persistence via an inaudible MP3 file and dynamic mining operations. Kaspersky researchers discovered the malware targeting users in Brazil, with potential for expansion to other regions.

Open in new tab

GoldFactory Deploys Modified Banking Apps in Southeast Asia

GoldFactory, a financially motivated cybercrime group, has been targeting mobile users in Indonesia, Thailand, and Vietnam since October 2024. The group distributes modified banking applications that act as conduits for Android malware, leading to over 11,000 infections. The malware impersonates government services and trusted local brands to trick victims into installing the malicious apps, which then abuse Android's accessibility services for remote control and data theft. In July 2025, GoldFactory launched a sophisticated fraud campaign targeting Indonesia's Coretax tax platform, intensifying in January 2026. This campaign impersonated Coretax to trick users into installing malicious mobile applications, resulting in an estimated $1.5m to $2m in financial impact. The operation involved phishing websites, WhatsApp impersonation, and vishing calls to direct victims to download fraudulent APK files, deploying multiple malware families including Gigabud.RAT and MMRat.

Open in new tab

NFC Relay Malware Surge Targeting European Payment Cards

A surge of NFC relay malware targeting payment cards has been observed in Eastern Europe. Over 760 malicious Android apps have been identified, exploiting Host Card Emulation (HCE) to steal contactless credit card data. The malware captures EMV fields, manipulates APDU commands, and enables unauthorized payments. The malware has evolved into multiple variants, including data harvesters, relay toolkits, and ghost-tap payments. It has spread across Poland, the Czech Republic, Russia, and Slovakia. The apps impersonate Google Pay and various financial institutions, with over 70 command-and-control servers and Telegram bots facilitating the attacks. New research reveals over 54 malicious APK samples, often disguised as legitimate financial apps, are being sold and promoted within Chinese-language cybercrime communities on Telegram. Victims are targeted through smishing and vishing campaigns, and card data is transmitted via C2 servers to complete fraudulent transactions. Prominent vendors like TX-NFC, X-NFC, and NFU Pay sell access to this malware, with TX-NFC alone having over 21,000 subscribers.

Open in new tab