According to a threat report compiled by the research firm ESET Research, Cyber attacks using NFC technology have increased by 87%. The report in question shows that digital fraud is evolving rapidly, moving from the simple “physical” cloning of cards to sophisticated hybrid attacks that exploit social engineering and new generation malware. Malicious software such as NGatethey are now able to steal data saved in the address book to orchestrate targeted telephone scams, and RatOnanother insidious malicious software, is capable of fusing NFC cloning techniques with remote device control, allowing criminals to disable victims’ biometric data and operate without their knowledge. Let’s analyze them a little more closely NFC-based threats and let’s see what to do to defend yourself.
From NGate to PhantomCard, passing through RatOn: the new threats that exploit NFC and AI
Going into the merits of the findings carried out between June and November 2025 by ESET researchers, an epochal change is evident in the way in which cyber criminals use new technologies: if until recently artificial intelligence was mainly used to create convincing phishing emails, we are now faced with threats such as PromptLocka ransomware, i.e. a program that encrypts the victim’s data by asking for a ransom, entirely powered by AI and capable of generate attack scripts in real time. But it is in the mobile world that the most interesting dynamics for the common user are found, with malware that exploits the growing NFC chip87%; a figure which, although it shows a slowdown compared to the explosion recorded at the beginning of the year, indicates a stabilization towards much more targeted and qualitatively superior attacks.
Let’s take the case of NGate: this malware no longer limits itself to cloning card data to allow illicit withdrawals, but has been updated to exfiltrate the victim’s entire contact list. This step is crucial because it provides attackers with the real names of friends or family, data which is then used to make deceptive calls posing as bank operators and drastically increasing the chances of success of the scam, as observed in several campaigns that hit the Poland through fake security emails.
By zooming in on the Brazilresearchers tracked the activity of PhantomCarda local variant of NGate distributed through pages that perfectly imitate the Google Play Store. Here the deception is subtle: users download an app called “Cartões Protection”convinced by artificially generated positive reviews praising the software’s ability to block scams, when in reality they are installing the very software that it will clone their financial data and PIN as soon as they touch the card to the phone for false authentication.
Even more worrying from a technical perspective is the emergence of RatOna malware that represents a qualitative leap in the evolution of cyber threats because combines NFC fraud with typical RAT functionalityan acronym that stands for Remote Access Trojanor Trojans that grant the hacker total remote control of the device. RatOn, spread through deceptive advertisements promising an “adult” version of TikTok or bank identification services, is able to use accessibility permissions of the Android operating system to independently click on the screeninstall additional harmful components and, even more seriously, disable biometric authentication such as fingerprint or facial recognition, thus allowing attackers to capture the PIN and use automatic transfer systems or ATS (Automated Transfer System) to empty the accounts, particularly affecting users in Czech Republic And Slovakia.
The only effective strategies to defend yourself
Given the danger of these threats, what strategies should be adopted to defend oneself? Lukáš Štefankosenior researcher at ESET, explained:
While the cybersecurity community, financial institutions, and credit card issuers are monitoring and responding to these advances, much of the responsibility still falls on users, meaning their security awareness remains critical. Download apps only from official sources And check permissions carefully can significantly reduce exposure to these ever-evolving threats.
