According to ESET telemetry, threat actors keep finding new ways to exploit #NFC technology: detections surged by 78% compared to H1 2025; however, overall numbers remain low.
#NGate has demonstrated its relevance and is now enhanced with contact-stealing functionality. ESET researchers believe that this feature is designed to lay the groundwork for future attacks.
An NGate-based malware adapted for Brazil, #PhantomCard, targets banking clients via fake #Android apps that claim to improve security and privacy, distributed on pages featuring fabricated positive reviews.
And #RatOn combines RAT-like features with relay functionality, showcasing the determination of threat actors to evolve the methods of compromise. It’s distributed via fraudulent ads and apps, with the language targeting Czech and Slovak users.
Attackers remain faithful to tried-and-tested methods like #phishing calls and messages, while increasingly relying on psychological manipulation and #social engineering rather than exploiting just the technological aspect of NFC.
Read more about the evolution of NFC threat landscape in the latest #ESETThreatReport https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h22025.pdf

ESETresearch identified an active campaign distributing #NGate – Android NFC relay malware used for contactless payment fraud – targeting Brazilian users.
It is available for download via fake Google Play sites mimicking 4 major banks and 1 e-commerce app.
It shares the same package name (com.billy.cardemv) as some #NGate / #PhantomCard variants targeting Brazil, suggesting it could be a new version still focused on Brazil.
#ngate captures NFC card data and relays it to an attacker-controlled device, which uses the data for ATM withdrawals or POS payments—all without physical access to the victim’s card. We described #NGate in details in our blogpost in 2024
https://www.welivesecurity.com/en/eset-research/ngate-android-malware-relays-nfc-traffic-to-steal-cash/
IoCs:
Android/Spy.NGate.BD
223D7AA925549C9C657C017F06CF7C19595C2CEE
5a341dc1-98f9-4264-859a-e8bc6d236024-00-1vfeomyys26m9.janeway.replit[.]dev
googleplay-santander.pages[.]dev
googleplay-bb.pages[.]dev
googleplay-itau.pages[.]dev
googleplay-mercadolivre.pages[.]dev
googleplay-bradesco.pages[.]dev

#PhantomCard
#Android -Nutzer, die kontaktlos bezahlen
greift gezielt Kredit- und Bankkarten an
über manipulierte Webseiten verbreitet, - Google Play Store
- bieten vermeintliche Sicherheits-Apps an
- fordert PhantomCard die Nutzer auf, ihre Kredit- oder Debitkarte an die Rückseite des Smartphones zu halten
- Kartendaten direkt an Server der Angreifer übermittelt
- Eingabe der PIN verlangt
- gestohlenen Karten an #NFC -fähigen Terminals oder Geldautomaten nutzen

https://www.focus.de/digital/gefaehrlicher-android-trojaner-stiehlt-daten-von-bankkarten-so-schuetzen-sie-sich_cb681d6d-06f7-49e3-8b27-9b38b84b293c.html

New #NFC-Driven #Android #Trojan #PhantomCard targets Brazilian bank customers
https://securityaffairs.com/181186/malware/new-nfc-driven-android-trojan-phantomcard-targets-brazilian-bank-customers.html
#securityaffairs #hacking #malware

#PhantomCard: The "#Ghost" in your pocket that can empty your account

https://technewsro.blog/phantomcard-fantoma-din-buzunar-care-ti-poate-goli-contul/

Interesting, PhantomCard, NFC-based fraude/malware.
https://www.threatfabric.com/blogs/phantomcard-new-nfc-driven-android-malware-emerging-in-brazil
#malware #fraud #android #cybersecurity #phantomcard