New NGate variant hides in a trojanized NFC cost app

ESET Analysis has found a brand new variant of the NGate malware household that abuses a professional Android software referred to as HandyPay, as a substitute of the beforehand leveraged NFCGate instrument. The risk actors took the app, which is used to relay NFC information, and patched it with malicious code that seems to have been AI-generated. As with earlier iterations of NGate, the malicious code permits the attackers to switch NFC information from the sufferer’s cost card to their very own system and use it for contactless ATM cash-outs and unauthorized funds. Moreover, the code may seize the sufferer’s cost card PIN and exfiltrate it to the operators’ C&C server.

Key factors of this blogpost:

• ESET researchers found a brand new NGate malware variant abusing the professional Android HandyPay software.
• To trojanize HandyPay, risk actors most likely used GenAI, indicated by emoji left within the logs which can be typical of AI-generated textual content.
• The marketing campaign has been ongoing since November 2025 and targets Android customers in Brazil.
• Other than relaying NFC information, the malicious code additionally steals cost card PINs.
• We noticed two NGate samples being distributed within the assaults: one by way of a faux lottery web site, the opposite by way of a faux Google Play web site. Each websites have been hosted on the identical area, strongly implying a single risk actor.

The assaults goal customers in Brazil, with the trojanized app being distributed primarily by way of an internet site impersonating a Brazilian lottery, Rio de Prêmios, in addition to by way of a faux Google Play web page for a supposed card safety app. This isn’t the primary NGate marketing campaign to take goal at Brazil: as we described in our H2 2025 Menace Report, NFC‑based mostly assaults are increasing into new areas (see Determine 1) whereas leveraging extra subtle ways and strategies, with Brazil specifically being focused by a variant of NGate referred to as PhantomCard. Attackers are experimenting with recent social engineering approaches and more and more combining NFC abuse with banking trojan capabilities.

We imagine that the marketing campaign distributing trojanized HandyPay started round November 2025 and stays energetic on the time of penning this blogpost. It must also be famous that the maliciously patched model of HandyPay has by no means been obtainable on the official Google Play retailer. As an App Protection Alliance accomplice, we shared our findings with Google. Android customers are mechanically protected in opposition to identified variations of this malware by Google Play Defend, which is enabled by default on Android gadgets with Google Play providers.

We additionally reached out to the HandyPay developer to alert them concerning the malicious use of their software. After establishing communication, they confirmed that they’re conducting an inside investigation on their facet.

HandyPay abuse

Because the variety of NFC threats retains rising, so is the ecosystem supporting them changing into extra sturdy. The primary NGate assaults employed the open-source NFCGate instrument to facilitate the switch of NFC information. Since then, a number of malware-as-a-service (MaaS) choices with related performance, akin to NFU Pay and TX‑NFC, have grow to be obtainable for buy. These kits are actively marketed to associates on Telegram (one such commercial is depicted in Determine 2). For instance, the aforementioned PhantomCard assaults that additionally focused Brazil employed NFU Pay to facilitate information switch. Within the case of the marketing campaign described on this blogpost, nonetheless, the risk actors determined to go together with their very own answer and maliciously patched an present app – HandyPay.

HandyPay (official web site) is an Android app that has been obtainable on Google Play since 2021. It permits relaying NFC information from one system to a different, which can be utilized to share a card with a member of the family, enable one’s little one to make a one-time buy, and many others. The information is first learn on the cardholder’s system after which shared with a linked system. After the customers hyperlink their accounts by electronic mail, the cardholder scans their cost card by way of NFC, upon which the encrypted information is transferred over the web to the paired system. That system can then execute tap-to-pay actions utilizing the unique cardholder’s card. For the method to work, the customers must set HandyPay because the default cost app and register with Google or an email-based token.

As per the developer’s web site, the app features a diploma of monetization (see Determine 3): utilizing the app as a reader is free (“Visitor entry”), however to emulate the cardboard on a paired system (“Person entry”), you supposedly must subscribe for €9.99 per thirty days. The location, nonetheless, frames this charge as a donation and the cost is just not talked about on the official Google Play retailer web page.

Why did the operators of this marketing campaign determine to trojanize the HandyPay app as a substitute of going with a longtime answer for relaying NFC information? The reply is straightforward: cash. The subscription charges for present MaaS kits run within the lots of of {dollars}: NFU Pay advertises its product for nearly US$400 per thirty days, whereas TX-NFC goes for round US$500 per thirty days. HandyPay, then again, is considerably cheaper, solely asking for the €9.99 per thirty days donation, if even that. Along with the value, HandyPay natively doesn’t require any permissions, solely to be made the default cost app, serving to the risk actors keep away from elevating suspicion.

As we already alluded to within the introduction, the malicious code used to trojanize HandyPay exhibits indicators of getting been produced with the assistance of GenAI instruments. Particularly, the malware logs comprise emoji typical of AI-generated textual content (see the code snippet in Determine 4), suggesting that LLMs have been concerned in producing or modifying the code, though definitive proof stays elusive. This matches a broader pattern during which GenAI lowers the barrier to entry for cybercriminals, enabling risk actors with restricted technical talent to supply workable malware.

Evaluation of the marketing campaign

Focusing on

Based mostly on the distribution vectors and the language model of the trojanized app, the marketing campaign targets Android customers in Brazil. Whereas analyzing the attackers’ C&C server, we additionally discovered logs from 4 compromised gadgets, all geolocated in Brazil. The information contained captured PIN codes, IP addresses, and timestamps related to the assaults.

Preliminary entry

As a part of the marketing campaign, we noticed two NGate samples. Though they’re distributed individually, they’re hosted on the identical area and use the identical HandyPay app, indicating a coordinated operation performed by the identical malicious risk actors. The distribution circulation of each samples is depicted in Determine 5.

The primary NGate pattern is distributed by way of an internet site that impersonates Rio de Prêmios, a lottery run by the Rio de Janeiro state lottery group (Loterj). The location exhibits a scratch card recreation the place the person is meant to disclose three matching symbols, with the end result rigged in order that the person at all times “wins” R$20,000 (see Determine 6). As a way to declare the prize, the person is requested to faucet a button that opens the professional WhatsApp with a prefilled message addressed to a predefined WhatsApp quantity, as proven in Determine 7. To extend credibility, the related WhatsApp account makes use of a profile picture that impersonates Caixa Econômica Federal, Brazil’s government-owned financial institution that manages nearly all of lotteries within the nation.

That is possible the place the sufferer is directed to the patched HandyPay app masquerading because the Rio de Prêmios app, which is hosted on the identical server because the faux lottery web site. Throughout testing, we didn’t obtain a reply from the attacker’s WhatsApp account, however we attribute that to not utilizing a Brazilian telephone quantity.

The second NGate pattern is distributed by way of a faux Google Play net web page as an app named Proteção Cartão (machine translation: Card Safety). The screenshots in Determine 8 present that victims must manually obtain and set up the app, compromising their gadgets with trojanized HandyPay within the course of. We noticed malicious apps with related names being utilized in an October 2025 marketing campaign focusing on Brazil that deployed the PhantomCard variant of NGate.

Execution circulation

An summary of the operational circulation of the trojanized HandyPay app is proven in Determine 9.

First, the sufferer must manually set up a trojanized model of HandyPay, because the app is simply obtainable exterior Google Play. When a person faucets the obtain app button of their browser, Android mechanically blocks the set up and exhibits a immediate asking them to permit set up from this supply. The person merely must faucet Settings in that immediate, allow “Permit from this supply”, return to the obtain display screen, and proceed putting in the app. As soon as put in, the app asks to be set because the default cost app, which might be seen in Determine 10. This performance is just not malicious, as it’s a part of the official HandyPay app. The precise malware injected within the code doesn’t want this setting to be enabled on the sufferer’s telephone to relay NFC information; solely the system receiving the info, i.e., the operator system, wants this setting enabled. No additional permissions are required (see Determine 11), serving to the malicious app keep beneath the radar.

The sufferer is then requested to enter their cost card PIN into the app, and faucet their card on the again of the smartphone with NFC enabled. The malware abuses the HandyPay service to ahead NFC card information to an attacker-controlled system, enabling the risk actor to make use of the sufferer’s cost card information to withdraw money from ATMs. The operator’s system is linked to an electronic mail handle hardcoded throughout the malicious app, guaranteeing that each one captured NFC site visitors is routed completely to the attacker. We have now noticed two completely different attacker electronic mail addresses getting used within the analyzed samples. On prime of the usual batch of information that’s transferred within the NFC relay, the sufferer’s cost card PIN is exfiltrated individually to a devoted C&C server over HTTP (see Determine 12), not counting on HandyPay infrastructure. The C&C endpoint for PIN harvesting additionally features because the distribution server, centralizing each supply and data-collection operations.

Conclusion

With the looks of yet one more NGate marketing campaign on the scene, it may be plainly seen that NFC fraud is on the rise. This time, as a substitute of utilizing a longtime answer akin to NFCGate or a MaaS on supply, the risk actors determined to trojanize HandyPay, an software with present NFC relay performance. The excessive probability that GenAI was used to assist with the creation of the malicious code demonstrates how cybercrooks can do hurt by abusing LLMs even with out the necessity for technical experience.

For any inquiries about our analysis printed on WeLiveSecurity, please contact us at threatintel@eset.com. 

ESET Analysis affords personal APT intelligence studies and information feeds. For any inquiries about this service, go to the ESET Menace Intelligence web page.

IoCs

A complete record of indicators of compromise (IoCs) and samples might be present in our GitHub repository

Information

Community

MITRE ATT&CK strategies

This desk was constructed utilizing model 18 of the MITRE ATT&CK framework.