New NGate variant hides in a trojanized NFC fee app

ESET Analysis has found a brand new variant of the NGate malware household that abuses a respectable Android utility known as HandyPay, as a substitute of the beforehand leveraged NFCGate instrument. The menace actors took the app, which is used to relay NFC information, and patched it with malicious code that seems to have been AI-generated. As with earlier iterations of NGate, the malicious code permits the attackers to switch NFC information from the sufferer’s fee card to their very own system and use it for contactless ATM cash-outs and unauthorized funds. Moreover, the code may seize the sufferer’s fee card PIN and exfiltrate it to the operators’ C&C server.

Key factors of this blogpost:

• ESET researchers found a brand new NGate malware variant abusing the respectable Android HandyPay utility.
• To trojanize HandyPay, menace actors likely used GenAI, indicated by emoji left within the logs which can be typical of AI-generated textual content.
• The marketing campaign has been ongoing since November 2025 and targets Android customers in Brazil.
• Other than relaying NFC information, the malicious code additionally steals fee card PINs.
• We noticed two NGate samples being distributed within the assaults: one through a pretend lottery web site, the opposite by way of a pretend Google Play web site. Each websites have been hosted on the identical area, strongly implying a single menace actor.

The assaults goal customers in Brazil, with the trojanized app being distributed primarily by way of a web site impersonating a Brazilian lottery, Rio de Prêmios, in addition to through a pretend Google Play web page for a supposed card safety app. This isn’t the primary NGate marketing campaign to take goal at Brazil: as we described in our H2 2025 Menace Report, NFC‑primarily based assaults are increasing into new areas (see Determine 1) whereas leveraging extra subtle techniques and methods, with Brazil particularly being focused by a variant of NGate known as PhantomCard. Attackers are experimenting with contemporary social engineering approaches and more and more combining NFC abuse with banking trojan capabilities.

We consider that the marketing campaign distributing trojanized HandyPay started round November 2025 and stays lively on the time of scripting this blogpost. It also needs to be famous that the maliciously patched model of HandyPay has by no means been accessible on the official Google Play retailer. As an App Protection Alliance associate, we shared our findings with Google. Android customers are routinely protected towards recognized variations of this malware by Google Play Shield, which is enabled by default on Android units with Google Play providers.

We additionally reached out to the HandyPay developer to alert them concerning the malicious use of their utility. After establishing communication, they confirmed that they’re conducting an inner investigation on their aspect.

HandyPay abuse

Because the variety of NFC threats retains rising, so is the ecosystem supporting them turning into extra strong. The first NGate assaults employed the open-source NFCGate instrument to facilitate the switch of NFC information. Since then, a number of malware-as-a-service (MaaS) choices with comparable performance, comparable to NFU Pay and TX‑NFC, have turn out to be accessible for buy. These kits are actively marketed to associates on Telegram (one such commercial is depicted in Determine 2). For instance, the aforementioned PhantomCard assaults that additionally focused Brazil employed NFU Pay to facilitate information switch. Within the case of the marketing campaign described on this blogpost, nonetheless, the menace actors determined to go together with their very own resolution and maliciously patched an current app – HandyPay.

HandyPay (official web site) is an Android app that has been accessible on Google Play since 2021. It permits relaying NFC information from one system to a different, which can be utilized to share a card with a member of the family, enable one’s youngster to make a one-time buy, and many others. The information is first learn on the cardholder’s system after which shared with a linked system. After the customers hyperlink their accounts by e-mail, the cardholder scans their fee card through NFC, upon which the encrypted information is transferred over the web to the paired system. That system can then execute tap-to-pay actions utilizing the unique cardholder’s card. For the method to work, the customers have to set HandyPay because the default fee app and register with Google or an email-based token.

As per the developer’s web site, the app features a diploma of monetization (see Determine 3): utilizing the app as a reader is free (“Visitor entry”), however to emulate the cardboard on a paired system (“Person entry”), you supposedly have to subscribe for €9.99 per thirty days. The location, nonetheless, frames this charge as a donation and the fee just isn’t talked about on the official Google Play retailer web page.

Why did the operators of this marketing campaign resolve to trojanize the HandyPay app as a substitute of going with a longtime resolution for relaying NFC information? The reply is easy: cash. The subscription charges for current MaaS kits run within the a whole bunch of {dollars}: NFU Pay advertises its product for nearly US$400 per thirty days, whereas TX-NFC goes for round US$500 per thirty days. HandyPay, alternatively, is considerably cheaper, solely asking for the €9.99 per thirty days donation, if even that. Along with the value, HandyPay natively doesn’t require any permissions, solely to be made the default fee app, serving to the menace actors keep away from elevating suspicion.

As we already alluded to within the introduction, the malicious code used to trojanize HandyPay reveals indicators of getting been produced with the assistance of GenAI instruments. Particularly, the malware logs include emoji typical of AI-generated textual content (see the code snippet in Determine 4), suggesting that LLMs have been concerned in producing or modifying the code, though definitive proof stays elusive. This suits a broader pattern wherein GenAI lowers the barrier to entry for cybercriminals, enabling menace actors with restricted technical talent to provide workable malware.

Evaluation of the marketing campaign

Focusing on

Based mostly on the distribution vectors and the language model of the trojanized app, the marketing campaign targets Android customers in Brazil. Whereas analyzing the attackers’ C&C server, we additionally discovered logs from 4 compromised units, all geolocated in Brazil. The information contained captured PIN codes, IP addresses, and timestamps related to the assaults.

Preliminary entry

As a part of the marketing campaign, we noticed two NGate samples. Though they’re distributed individually, they’re hosted on the identical area and use the identical HandyPay app, indicating a coordinated operation performed by the identical malicious menace actors. The distribution circulation of each samples is depicted in Determine 5.

The primary NGate pattern is distributed by way of a web site that impersonates Rio de Prêmios, a lottery run by the Rio de Janeiro state lottery group (Loterj). The location reveals a scratch card sport the place the consumer is meant to disclose three matching symbols, with the result rigged in order that the consumer all the time “wins” R$20,000 (see Determine 6). As a way to declare the prize, the consumer is requested to faucet a button that opens the respectable WhatsApp with a prefilled message addressed to a predefined WhatsApp quantity, as proven in Determine 7. To extend credibility, the related WhatsApp account makes use of a profile picture that impersonates Caixa Econômica Federal, Brazil’s government-owned financial institution that manages the vast majority of lotteries within the nation.

That is possible the place the sufferer is directed to the patched HandyPay app masquerading because the Rio de Prêmios app, which is hosted on the identical server because the pretend lottery web site. Throughout testing, we didn’t obtain a reply from the attacker’s WhatsApp account, however we attribute that to not utilizing a Brazilian telephone quantity.

The second NGate pattern is distributed through a pretend Google Play net web page as an app named Proteção Cartão (machine translation: Card Safety). The screenshots in Determine 8 present that victims must manually obtain and set up the app, compromising their units with trojanized HandyPay within the course of. We noticed malicious apps with comparable names being utilized in an October 2025 marketing campaign concentrating on Brazil that deployed the PhantomCard variant of NGate.

Execution circulation

An outline of the operational circulation of the trojanized HandyPay app is proven in Determine 9.

First, the sufferer must manually set up a trojanized model of HandyPay, for the reason that app is just accessible exterior Google Play. When a consumer faucets the obtain app button of their browser, Android routinely blocks the set up and reveals a immediate asking them to permit set up from this supply. The consumer merely must faucet Settings in that immediate, allow “Enable from this supply”, return to the obtain display screen, and proceed putting in the app. As soon as put in, the app asks to be set because the default fee app, which might be seen in Determine 10. This performance just isn’t malicious, as it’s a part of the official HandyPay app. The precise malware injected within the code doesn’t want this setting to be enabled on the sufferer’s telephone to relay NFC information; solely the system receiving the info, i.e., the operator system, wants this setting enabled. No additional permissions are required (see Determine 11), serving to the malicious app keep beneath the radar.

The sufferer is then requested to enter their fee card PIN into the app, and faucet their card on the again of the smartphone with NFC enabled. The malware abuses the HandyPay service to ahead NFC card information to an attacker-controlled system, enabling the menace actor to make use of the sufferer’s fee card information to withdraw money from ATMs. The operator’s system is linked to an e-mail handle hardcoded throughout the malicious app, guaranteeing that every one captured NFC visitors is routed solely to the attacker. Now we have noticed two completely different attacker e-mail addresses getting used within the analyzed samples. On high of the usual batch of knowledge that’s transferred within the NFC relay, the sufferer’s fee card PIN is exfiltrated individually to a devoted C&C server over HTTP (see Determine 12), not counting on HandyPay infrastructure. The C&C endpoint for PIN harvesting additionally capabilities because the distribution server, centralizing each supply and data-collection operations.

Conclusion

With the looks of one more NGate marketing campaign on the scene, it may be plainly seen that NFC fraud is on the rise. This time, as a substitute of utilizing a longtime resolution comparable to NFCGate or a MaaS on supply, the menace actors determined to trojanize HandyPay, an utility with current NFC relay performance. The excessive probability that GenAI was used to assist with the creation of the malicious code demonstrates how cybercrooks can do hurt by abusing LLMs even with out the necessity for technical experience.

For any inquiries about our analysis printed on WeLiveSecurity, please contact us at threatintel@eset.com. 

ESET Analysis gives non-public APT intelligence experiences and information feeds. For any inquiries about this service, go to the ESET Menace Intelligence web page.

IoCs

A complete checklist of indicators of compromise (IoCs) and samples might be present in our GitHub repository

Recordsdata

Community

MITRE ATT&CK methods

This desk was constructed utilizing model 18 of the MITRE ATT&CK framework.