RelayNFC Android NFC relay malware targeting Brazilian banking users
Malware Activity
Summary
Hide ▲
Show ▼
The RelayNFC malware is actively targeting Brazilian banking users with Android-based NFC relay attacks, creating a path to steal contactless payment data and enable remote EMV fraud. The campaign has been running since early November 2025 and uses phishing plus decoy Portuguese-language sites to distribute the malware.
Related Happenings
Ousaban banking trojan retooled for Spain and Portugal
Malware Activity
H score33
First: 01.07.2026 16:45
Last: 01.07.2026 16:45
Sources 1
About this happening:
The **Ousaban** banking trojan has been **retooled** to target **banking customers in Spain and Portugal**, raising the risk of **credential theft** and **bank fraud**. It uses **...
Ousaban banking trojan retooled for Spain and Portugal
Malware ActivityAbout this happening: The **Ousaban** banking trojan has been **retooled** to target **banking customers in Spain and Portugal**, raising the risk of **credential theft** and **bank fraud**. It uses **...
BTMOB phishing campaign targeting Brazil and Latin America
Campaign
H score39
First: 29.05.2026 00:10
Last: 29.05.2026 00:10
Sources 1
About this happening:
**BTMOB** phishing activity is using localized fake-app lures to target users in **Brazil** and **Latin America**, increasing the risk of malicious installs and account compromise...
BTMOB phishing campaign targeting Brazil and Latin America
CampaignAbout this happening: **BTMOB** phishing activity is using localized fake-app lures to target users in **Brazil** and **Latin America**, increasing the risk of malicious installs and account compromise...
Grandoreiro DLL side-loading campaign targeting banks in Portugal
Campaign
H score26
First: 27.05.2026 19:10
Last: 27.05.2026 19:10
Sources 1
About this happening:
**Grandoreiro** is running a new **DLL side-loading** campaign against **banks in Portugal**, extending a long-lived banking-malware operation into **2026**. The latest wave uses...
Grandoreiro DLL side-loading campaign targeting banks in Portugal
CampaignAbout this happening: **Grandoreiro** is running a new **DLL side-loading** campaign against **banks in Portugal**, extending a long-lived banking-malware operation into **2026**. The latest wave uses...
NGate Android Brazil fake-app and fake-lottery campaign
Campaign
H score37
First: 21.04.2026 12:00
Last: 21.04.2026 12:00
Sources 1
About this happening:
A **NGate** campaign has been active since **November 2025**, targeting primarily **Android devices in Brazil** and using **fake-app** and **fake-lottery** lures to spread a malic...
NGate Android Brazil fake-app and fake-lottery campaign
CampaignAbout this happening: A **NGate** campaign has been active since **November 2025**, targeting primarily **Android devices in Brazil** and using **fake-app** and **fake-lottery** lures to spread a malic...
NGate malware trojanized HandyPay NFC-stealing variant
Malware Activity
H score34
First: 21.04.2026 12:00
Last: 21.04.2026 12:00
Sources 1
About this happening:
A **new NGate variant** is stealing **NFC payment data** from **Android users in Brazil**, raising the risk of **unauthorized purchases** and **ATM cash withdrawals**. The malware...
NGate malware trojanized HandyPay NFC-stealing variant
Malware ActivityAbout this happening: A **new NGate variant** is stealing **NFC payment data** from **Android users in Brazil**, raising the risk of **unauthorized purchases** and **ATM cash withdrawals**. The malware...
Timeline
-
03.12.2025 17:32 2 articles · 7mo ago
Initial report: RelayNFC Android NFC relay malware targeting Brazilian banking users
Initial DisclosureThe initial phase focused on **phishing-driven Android installation** via Portuguese-language decoy sites, seeding **RelayNFC** so it could begin **real-time NFC relay** against payment cards.
Show sources
- Brazil Hit by Banking Trojan Spread via WhatsApp Worm and RelayNFC NFC Relay Fraud — thehackernews.com — 03.12.2025 17:32
- Brazil Hit by Banking Trojan Spread via WhatsApp Worm and RelayNFC NFC Relay Fraud — thehackernews.com — 03.12.2025 17:32