Trojanized Android App Fuels New Wave of NFC Fraud: How NGate Malware Steals Payment Data

A fresh variant of the NGate malware family has been uncovered, this time hiding inside a trojanized version of a legitimate Android app. Security researchers at ESET have identified a new campaign that exploits a modified near-field communication (NFC) relay application called HandyPay to intercept payment card data and personal identification numbers (PINs). This marks a significant evolution in NGate malware NFC fraud, moving beyond open-source tools to a more sophisticated, stealthy approach.

How the NGate Malware Campaign Works

According to ESET’s findings, the malicious version of HandyPay has been circulating since November 2025, primarily targeting users in Brazil. Victims are lured through phishing websites that impersonate a Brazilian lottery site or a fake Google Play listing for a card protection tool. Once a user visits these fraudulent pages, they are instructed to manually install the app—bypassing the official Google Play Store.

Because the app is not available on the official store, Android prompts users to allow installations from unknown sources. This social engineering tactic is crucial for the attack to succeed. After installation, the trojanized app requests minimal permissions, relying instead on its ability to become the default payment application on the device. This design helps it avoid detection while maintaining full functionality.

NFC Data Relay and PIN Capture

The malware performs two key actions: it captures NFC data from any payment card tapped on the infected device, and it prompts the victim to enter their card’s PIN. Both pieces of information are then transmitted to attacker-controlled infrastructure. This allows fraudsters to relay the NFC data to their own devices, enabling them to make fraudulent contactless transactions or even withdraw cash from ATMs.

This technique is far more dangerous than simple card skimming. By combining the NFC relay with the PIN, attackers can bypass typical security measures for contactless payments. The campaign demonstrates a clear shift from earlier NGate variants, which relied on open-source tools like NFCGate, to a more targeted approach using a trojanized legitimate app.

AI-Assisted Code Generation Suspected

Interestingly, ESET researchers found evidence suggesting that parts of the malicious code may have been generated using generative AI tools. Debug logs within the malware contained emoji markers, a pattern often associated with AI-assisted code generation. While not definitive proof, this aligns with a broader trend of threat actors using large language models (LLMs) to accelerate malware development.

Building on this, the use of AI could make it easier for less technically skilled criminals to create sophisticated malware. This particular campaign, however, still required significant effort in setting up phishing infrastructure and modifying the HandyPay app. The combination of AI-generated code and social engineering makes this NGate malware NFC fraud campaign particularly concerning.

Protecting Against NFC-Based Fraud

Google has been notified of the campaign, and Google Play Protect now detects known versions of the malware. Additionally, the developer of HandyPay has been allegedly contacted and is investigating the misuse of their application. However, users remain the first line of defense.

To protect against this type of Android NFC malware, always download apps from the official Google Play Store. Be wary of any website that instructs you to install an app manually, especially if it claims to offer security or financial services. Furthermore, avoid tapping your payment card on unknown devices, and regularly check your bank statements for unauthorized transactions.

For more insights on mobile banking threats, read our article on APK Malformation Found in Thousands of Android Malware Samples. Additionally, learn about the latest phishing techniques in our guide on How to Spot Phishing Attacks.

The Future of NFC Relay Attacks

This campaign signals a worrying trend. Attackers are moving away from generic malware kits and instead modifying legitimate apps to serve their purposes. The use of a trojanized HandyPay app allows for stealthier operations, as the app’s core functionality—NFC relay—is itself legitimate. As a result, users and security solutions may find it harder to distinguish between a benign app and a malicious one.

Therefore, the financial sector and Android users, particularly in regions like Brazil, must stay vigilant. The combination of NFC relay, PIN capture, and potential AI-assisted development means that NGate malware NFC fraud could become a template for future attacks worldwide.

UK Faces a Cyber ‘Perfect Storm’ as Geopolitical Tensions and AI Reshape Threats

The United Kingdom is navigating what experts call a cyber perfect storm, driven by a convergence of geopolitical strife and rapid technological change. At the CYBERUK 2026 conference in Glasgow, Richard Horne, CEO of the National Cyber Security Centre (NCSC), described the current era as one of “tumultuous uncertainty.” He warned that the combination of artificial intelligence advances and international tensions is creating an unprecedented threat landscape for businesses and individuals alike.

According to the NCSC, the number of nationally significant cyber incidents has remained relatively steady, but the nature of these attacks is evolving. While ransomware remains the most common threat to most organizations, the most dangerous attacks come from nation-state actors. This cyber perfect storm demands a new approach to security—one that prioritizes resilience over simple prevention.

Nation-State Threats: Russia, China, and Iran

Richard Horne outlined how three major adversaries—Russia, China, and Iran—are targeting the UK with distinct tactics and objectives. Each poses a unique challenge, making it difficult to compare them directly.

China’s Sophisticated Espionage

China’s intelligence and military agencies now display an “eye-watering level of sophistication” in their cyber operations, Horne noted. In August 2025, the NCSC and twelve allied agencies publicly linked three Chinese companies to a global campaign targeting critical networks. This activity overlaps with what the industry tracks as Salt Typhoon.

Unlike Russian threat actors, Chinese operations are quieter and more persistent. They have shifted focus from traditional targets to edge infrastructure like routers and VPNs, according to Jamie Collier, lead threat intelligence advisor at Google Threat Intelligence Group (GTIG). This stealthy approach makes detection harder for UK organizations.

Iran’s Growing Boldness

Iran is “almost certainly” using cyber activities to suppress British individuals perceived as threats to the regime, Horne stated. The NCSC has previously warned about targeted attacks via social media messaging apps. In March, the Handala wiper campaign compromised Microsoft Intune environments and wiped devices at a key NHS supplier, showing a dangerous new direction.

Martin Riley, CTO at Bridewell, called Iran “the shifting piece.” He added that UK organizations should expect more direct Iranian or Iran-aligned targeting in the months ahead, not less.

Russia’s War-Forged Tactics

Russia continues to learn cyber lessons from its war in Ukraine. Horne explained that tactics honed in conflict are now being directed at states Russia considers hostile. The NCSC and the National Protective Security Authority observe sustained Russian hybrid activity targeting UK and European assets.

Collier noted that Russia remains the most visible and disruptive threat, mixing sophisticated espionage with a surge in pro-Russia hacktivist activity. However, Bridewell’s data suggests the current Russian effort remains concentrated on Ukraine and espionage against government targets. Direct attacks on UK operational technology are not yet common, but the risk is growing.

UK Preparedness Under the Spotlight

The readiness of UK organizations against sustained nation-state attacks is uncertain. Anthony Young, CEO of Bridewell, cautioned that most businesses are “not well prepared.” Many still struggle with basic security controls and lack full visibility across their estates. At a time when budgets are squeezed, CISOs are forced to do more with less.

Horne urged a “cultural shift” within organizations, calling on everyone—from board members to IT help desk staff—to join the cybersecurity mission. Young agreed, stating that executives need to stop paying lip service to cybersecurity and invest for the long term.

Rob Demain, CEO of e2e-assure, warned that if organizations don’t evolve their detection and response capabilities over the next 12 months, they will become “significantly under prepared.” Collier emphasized moving from a prevention-only mindset to a resilience mindset. Organizations must assume adversaries can gain initial access and focus on making their environments difficult to navigate.

For more insights on building a resilient security posture, read our guide on cyber resilience strategies for UK businesses.

AI: A Cause for Concern

Artificial intelligence is amplifying the cyber perfect storm. Following the release of Anthropic’s Claude Mythos model—which can identify and fix software vulnerabilities at speed—the UK government sent an open letter to business leaders urging them to prepare for rapid AI integration in cybersecurity.

Horne stated at CYBERUK, “Frontier AI is rapidly enabling discovery and exploitation of existing vulnerabilities at scale, illustrating how quickly it will expose where fundamentals of cyber security are still to be addressed.” Demain highlighted that zero-day attacks are becoming more common across all business sizes due to AI advancements.

Despite these threats, experts agree that basics still matter. Full visibility across all environments, 24/7 monitoring, and correct technological configuration remain some of the easiest ways to stay a hard target. Learn more about AI-driven cybersecurity threats and how to counter them.

In conclusion, the UK faces a cyber perfect storm that requires immediate action. Geopolitical tensions, nation-state attacks, and AI-driven vulnerabilities are converging. Organizations must invest in resilience, improve basic hygiene, and prepare for a future where threats are more sophisticated than ever.

How Anthropic Mythos Is Reshaping Firefox’s Cybersecurity Strategy

When Anthropic released its Mythos model in April, it came with a stark warning for software developers everywhere. The company claimed the system was so adept at detecting security flaws that it had already uncovered thousands of high-severity bugs—bugs that needed patching before the model could go public. Now, Mozilla’s Firefox security team is offering a rare behind-the-scenes look at how Mythos is changing the game for browser security.

For years, AI-powered vulnerability scanners were more of a burden than a breakthrough. They flooded teams with false positives and low-quality reports, making them impractical for real-world use. But according to Mozilla researchers, that narrative has shifted dramatically in just a few months. With the arrival of agentic systems that can evaluate their own findings and discard bad results, the quality of AI-driven bug detection has reached a new level.

Mythos Uncovers Decade-Old Firefox Vulnerabilities

In a post published Thursday, Mozilla revealed that Mythos had unearthed a wealth of critical bugs, including some that had been lurking in Firefox’s codebase for more than ten years. The discovery marks a major leap forward from what AI tools could achieve even six months ago. “It is difficult to overstate how much this dynamic changed for us over a few short months,” the researchers wrote. “First, the models got a lot more capable. Second, we dramatically improved our techniques for harnessing these models.”

The results speak volumes. In April 2026, Firefox shipped 423 bug fixes—compared to just 31 in the same month a year earlier. The team has also published details on 12 of the vulnerabilities, which range from two unusual sandbox flaws to a 15-year-old error in how the browser parses an HTML element. Brian Grinstead, a distinguished engineer at Mozilla, put it bluntly: “These things are actually just suddenly very good. We see that on our own internal scanning, we see that on external bug reports, and we see that in all sorts of signals across the industry.”

How AI Is Transforming Sandbox Security Testing

One of the most impressive achievements has been Mythos’ ability to find vulnerabilities in Firefox’s sandbox—the most fortified part of the browser. To uncover a sandbox bug, the model must write a compromised patch for the browser, then attack the most secure component with the new code in place. It’s a delicate, multi-step process that demands both creativity and precision. For context, Mozilla’s bug bounty program offers up to $20,000 for a sandbox vulnerability—the highest reward available. Yet Grinstead says Mythos is finding more sandbox issues than human researchers ever did. “We do get them, but not at the volume that we are able to find with this technique,” he explained.

This shift is particularly significant because sandbox vulnerabilities are notoriously difficult to detect. Exploiting them requires an intricate chain of actions, and only the most skilled researchers have historically succeeded. Mythos’ ability to handle such complexity suggests that AI is no longer just a helper—it’s becoming a primary tool for deep security analysis.

AI Finds the Bugs, But Humans Still Fix Them

Despite the impressive detection capabilities, Mozilla is not yet using AI to patch the vulnerabilities it finds. The team does ask the model to code up potential fixes, but the resulting patches usually can’t be deployed directly. Instead, they serve as a blueprint for human engineers. “For the bugs we’re talking about in this post, every single one is one engineer writing a patch and one engineer reviewing it,” Grinstead said. “We have not found it to be automatable.”

This cautious approach highlights a key reality: while AI has become exceptional at finding problems, the nuanced work of crafting safe, production-ready fixes still requires human judgment. As a result, the workflow has evolved into a partnership where AI handles the heavy lifting of discovery, and humans take over for remediation.

What Mythos Means for the Future of Cybersecurity

The broader implications of Mythos’ capabilities are still unfolding. Since the model was previewed, most of the bugs it discovered likely haven’t been patched yet, making it difficult to assess the full scope of its impact. Anthropic has been meticulous about following responsible disclosure norms, but it’s reasonable to assume that malicious actors are experimenting with similar techniques behind the scenes—even if their models aren’t quite as advanced.

Speaking at a recent event, Anthropic CEO Dario Amodei expressed optimism that these tools would ultimately favor defenders. “If we handle this right, we could be in a better position than we started, because we fixed all these bugs. There are only so many bugs to find. So I think there’s a better world on the other side of this.” Grinstead, who has dealt with the gritty details firsthand, offers a more measured take: “It’s useful for both attackers and defenders, but having the tool available shifts the advantage a little bit to defense. Realistically, nobody knows the answer to this yet.”

For now, one thing is clear: the age of AI-driven vulnerability discovery is here, and it’s already reshaping how major organizations like Mozilla approach cybersecurity. To learn more about how AI is transforming other areas of tech, check out our guide on AI security tools for developers. For a deeper dive into browser security trends, see browser vulnerability management best practices.