According to a threat report compiled by the research firm ESET Researchcyber attacks using NFC technology have increased by 87%. The report in question shows that digital fraud is evolving rapidly, moving from the simple “physical” cloning of cards to sophisticated hybrid attacks that exploit social engineering and new generation malware. Malicious software such as NGate is now capable of stealing data saved in the address book to orchestrate targeted telephone scams, and RatOn, another insidious malicious software, is capable of fusing NFC cloning techniques with remote device control, allowing criminals to disable victims’ biometric data and operate without their knowledge. Let’s take a closer look at NFC-based threats and see what you can do to defend yourself.
From NGate to PhantomCard, passing through RatOn: the new threats that exploit NFC and AI
Going into the merits of the findings carried out between June and November 2025 by ESET researchers, an epochal change is evident in the way in which cyber criminals use new technologies: if until recently artificial intelligence was mainly used to create convincing phishing emails, we are now faced with threats such as PromptLock, a ransomware, i.e. a program that encrypts the victim’s data by asking for a ransom, entirely enhanced by AI and capable of generating attack scripts in real time. But it is in the mobile world that the most interesting dynamics for the common user are found, with malware that exploits the NFC chip growing by 87%; a figure which, although it shows a slowdown compared to the explosion recorded at the beginning of the year, indicates a stabilization towards much more targeted and qualitatively superior attacks.
Let’s take the case of NGate: this malware no longer limits itself to cloning card data to allow illicit withdrawals, but has been updated to exfiltrate the victim’s entire contact list. This step is crucial because it provides attackers with the real names of friends or family, data which is then used to make deceptive calls posing as bank operators and drastically increasing the chances of success of the scam, as observed in several campaigns that hit Poland via fake security emails.
Zooming in on Brazil, the researchers tracked the activity of PhantomCard, a local variant of NGate distributed through pages that perfectly mimic the Google Play Store. Here the deception is subtle: users download an app called “Cartões Protection”convinced by artificially generated positive reviews praising the software’s ability to block scams, when in reality they are installing the very software that will clone their financial data and PIN as soon as they hold their card close to their phone for false authentication.
Even more worrying from a technical point of view is the emergence of RatOn, a malware that represents a qualitative leap in the evolution of cyber threats because it combines NFC fraud with the typical functionality of RATs, an acronym that stands for Remote Access Trojanor Trojans that grant the hacker total remote control of the device. RatOn, spread through misleading advertisements promising an “adult” version of TikTok or bank identification services, is able to use the accessibility permissions of the Android operating system to autonomously click on the screen, install additional malicious components and, even more seriously, deactivate biometric authentication such as fingerprint or facial recognition, thus allowing attackers to capture PINs and use automatic transfer systems or ATS (Automated Transfer System) to empty accounts, particularly affecting users in the Czech Republic and Slovakia.
The only effective strategies to defend yourself
Given the danger of these threats, what strategies should be adopted to defend oneself? Lukáš Štefanko, senior researcher at ESET, explained:
While the cybersecurity community, financial institutions, and credit card issuers are monitoring and responding to these advances, much of the responsibility still falls on users, meaning their security awareness remains critical. Downloading apps only from official sources and carefully checking permissions can significantly reduce your exposure to these ever-evolving threats.
