The Reveal Platform
Intel Name: Relaynfc: the new nfc relay malware targeting brazil
Date of Scan: November 26, 2025
Impact: Medium
Summary: RelayNFC is a newly identified and increasingly sophisticated Android malware targeting users in Brazil through phishing campaigns. Designed specifically for NFC relay attacks, it captures victims’ contactless payment card data and relays it in real time to attacker-controlled servers, enabling fraudulent transactions as if the physical card were present. Built with React Native and Hermes bytecode, RelayNFC is lightweight, evasive, and difficult to analyze, with VirusTotal showing zero detections. The campaign uses convincing Portuguese-language phishing sites to trick victims into installing the malicious app, and related variants indicate the threat actors are experimenting with techniques such as Host Card Emulation. The operation mirrors a broader rise in NFC-abusing malware families like Ngate, SuperCardX, and PhantomCard, with multiple coordinated sites distributing the same RelayNFC payload.
