Investor
Professional
- Messages
- 279
- Reaction score
- 170
- Points
- 43
The New Frontier of Contactless Fraud
2026 has become a watershed year for NFC-based payment fraud.According to Kaspersky telemetry, the number of NFC-based attacks on Android smartphones surged by 188% in the first four months of 2026 compared to the same period in 2025. Their cybersecurity solutions blocked 35,600 attacks from January to April 2026, up from just over 12,300 during the same period last year.
The malware families driving this surge include SuperCard X, PhantomCard, NGate, and various malicious modifications of the open-source NFCGate tool. Russia remains the primary target market, but experts note that users in Latin America and Europe are increasingly affected.
The Technical Arsenal: Understanding the Tools
NGate: From Open Source to AI-Assisted Malware
NGate was first documented in mid-2024 as an Android malware capable of stealing payment card information through a device's NFC chip. The data is transmitted to attackers, who create virtual cards used for unauthorized purchases or cash withdrawals from NFC-enabled ATMs.How it originally worked: Early versions of NGate used an open-source tool called NFCGate to capture, relay, replay, and clone NFC data. This tool functions without requiring the device to be rooted.
The 2026 evolution: ESET researcher Lukáš Štefanko discovered a new variant that uses a trojanized version of HandyPay, a legitimate Android payment app. The threat actors took HandyPay — legitimately available on Google Play since 2021 — and patched it with malicious code.
The AI Connection
What makes this particularly alarming is that the malicious code shows signs of being produced with the help of Generative AI tools. The malware logs contain an emoji typical of AI-generated text, suggesting LLMs were involved in generating or modifying the code. This fits a broader trend where GenAI lowers the barrier to entry for cybercriminals, enabling threat actors with limited technical skill to produce workable malware.NFCPass, NFCShare, and Relay Families
NFCShare emerged as another significant threat in early 2026, with security researchers documenting its evolution from targeting only Deutsche Bank in Germany in January to now targeting multiple European banks.NFCShare's infection chain begins with phishing websites that impersonate legitimate bank portals. After victims provide their online banking credentials, they're redirected to a GitHub repository hosting malicious APK files. Since April 10, this repository has hosted 56 unique malicious APK files impersonating banking apps for institutions including:
- Intesa Carte, Sella Carte, Nexi Carte, Fideuram Carte, Mooney Carte (Italy)
- CaixaBank, CaixaBankNfc, CaixaReactivaTarjeta (Spain)
Technical evasion: Newer NFCShare variants employ malformed APK packaging — deliberately corrupted file paths within the ZIP archive designed to hinder automated malware analysis tools while not preventing manual investigation.
The Two Attack Vectors: From an Underground Carder's Perspective
Direct NFC (Classic Method)
How it works: Carders contact victims via messaging apps, automated calls with pre-recorded messages, or malvertising. Under the guise of identity verification or security updates, victims are tricked into downloading a malicious app — often disguised as a financial application.Victims are then prompted to:
- Tap their bank card to the infected smartphone
- Enter their card PIN
The card data is then relayed to the attackers, enabling unauthorized ATM withdrawals and PoS payments.
Why it works: The initial phishing stage exploits the browser's API to gain access to device hardware components without requiring special permissions upon installation. Once the "security update" is installed, the NFCGate tool activates and captures data from cards near the infected device.
Reverse NFC (The 2026 Evolution)
This is the more sophisticated — and increasingly common — scheme.How it works: Carders send users a malicious app and, using social engineering techniques, persuade them to set this app as their primary contactless payment method.
The compromised app then generates an NFC signal that ATMs recognize as the carders' card. Victims are persuaded to go to an ATM and deposit funds into a "secure account" using their infected phone — in reality, the carders receive the victims' money.
The Business Model: Malware-as-a-Service (MaaS)
NFC relay malware has evolved into a commercial ecosystem. According to ESET research:| Service | Cost | Notes |
|---|---|---|
| NFU Pay | ~$400/month | MaaS kit with full NFC relay capabilities |
| TX-NFC | ~$500/month | Alternative MaaS offering |
| HandyPay (legitimate) | €9.99/month donation | Trojanized by attackers to avoid MaaS fees |
Why did the NGate carders switch from NFCGate to HandyPay? The answer is simple: money. HandyPay is significantly cheaper than existing MaaS kits, natively requires no permissions beyond being set as the default payment app, and helps threat carders avoid raising suspicion.
The Underground Supply Chain
Phishing Kits and the Rise of Chinese-Speaking Gangs
According to ThreatFabric research, carding has re-emerged with a modern twist. Carders are converting phished card data into Apple Pay and Google Wallet accounts, enabling tap-to-pay fraud at scale.Key Vulnerabilities Being Exploited
- POS networks often lack controls for detecting geographical anomalies
- Transactions initiated via reverse NFC attacks can bypass conventional fraud detection because they appear to be initiated by legitimate account holders
- Card provisioning journeys remain insufficiently hardened
Geographic Targeting
| Region | Threat Level | Activity Observed |
|---|---|---|
| Russia | Critical | Primary target market; highest concentration of attacks |
| Italy | High | Active NFCShare campaigns impersonating Intesa, Sella, Nexi banks |
| Spain | High | Active NFCShare campaigns impersonating CaixaBank |
| Brazil | High | NGate variant distributed via fake lottery websites |
| Germany | Medium | Initial NFCShare targeting (January 2026) |
Future Outlook
Industry observers predict:
- Global expansion of NFC relay fraud
- Mobile malware families further integrating relay capabilities
- Financial institutions needing advanced device fingerprinting, hardened card provisioning, and extended POS transaction detection
Final Word
The tools are sophisticated. The ecosystem is commercialized. The attack vectors are evolving. But remember: 99% of NFC fraud success depends not on technical complexity, but on social engineering. The scam works because victims trust the voice on the phone, the urgency of the message, or the legitimacy of the interface.The most effective protection is not a security patch — it's critical thinking. Disable NFC when you don't need it. Never follow instructions from unsolicited callers. If someone pressures you to act immediately, they are not trying to help you — they are trying to rob you.
