NFC-based payment fraud is increasingly becoming a global concern, with a notable campaign that has been active since November 2025. This initiative is specifically targeting Android users in Brazil through a new variant of the NGate malware family, cleverly disguised within a trojanized version of HandyPay, a legitimate NFC relay application that has been available on Google Play since 2021. ESET Research has successfully identified this campaign, linking two distinct NGate samples to the same threat actor. Both samples are distributed from a single domain and utilize the modified HandyPay application, suggesting a well-coordinated operation.
Cost drove the choice of HandyPay
The decision to trojanize the HandyPay app instead of opting for an established malware-as-a-service (MaaS) solution appears to stem from financial considerations. ESET researcher Lukáš Štefanko, who uncovered the new NGate variant, elaborated on this reasoning: “The operators of this campaign likely chose HandyPay due to its affordability. Existing MaaS kits can cost hundreds of dollars—NFU Pay charges nearly 0 per month, while TX-NFC is priced at around 0 per month. In contrast, the HandyPay app only requests a €9.99 monthly donation, if that. Additionally, HandyPay requires minimal permissions, only needing to be set as the default payment app, which helps the threat actors avoid detection.”
AI-generated code in the malware?
Intriguingly, the malicious code embedded in HandyPay features emoji within the log strings, a characteristic that aligns with outputs from large language models. ESET researchers speculate that the malware may have been crafted with the assistance of generative AI. While definitive evidence of AI involvement remains elusive, the pattern reflects a growing trend among cybercriminals who leverage large language models to generate functional malicious code without extensive programming knowledge.
Two distribution vectors
This campaign employs two primary delivery methods. The first involves a counterfeit website that mimics Rio de Prêmios, a lottery run by the Rio de Janeiro state lottery organization. Visitors to this site are greeted with a scratch card game that guarantees a win of R,000. To claim their prize, users are prompted to click a button that opens WhatsApp with a pre-filled message directed to an attacker-controlled number. The WhatsApp account masquerades as Caixa Econômica Federal, Brazil’s government-owned bank responsible for managing most national lotteries. Victims are then guided to download the trojanized HandyPay APK, which is disguised as the Rio de Prêmios app.
The second distribution vector is a fraudulent Google Play webpage that offers the malware under the guise of Proteção Cartão, or Card Protection. Victims must manually download and install the APK, navigating around Android’s sideloading warning.
What the malware does
Upon installation, the app requests to be set as the default NFC payment application, a feature that is also present in the legitimate HandyPay app. The malware then prompts victims to enter their payment card PIN and tap their card against the device with NFC enabled. This allows the malware to relay NFC card data to an attacker-controlled device, enabling unauthorized contactless transactions and ATM withdrawals using the victim’s card information. Furthermore, the victim’s PIN is exfiltrated separately via HTTP to a dedicated command-and-control server, which operates independently of HandyPay’s infrastructure. This same server also serves as the distribution point for the APK files, consolidating both delivery and data collection.
ESET discovered logs from four compromised devices on the attacker’s command-and-control server, all located in Brazil, containing captured PINs, IP addresses, and timestamps.
Protection and disclosure
It is worth noting that the trojanized HandyPay application has never appeared on the official Google Play store. ESET has taken proactive measures by notifying Google through the App Defense Alliance and reaching out directly to the HandyPay developer, who has confirmed that an internal investigation is currently underway.
Download: 2026 SANS Identity Threats & Defenses Survey
