A new variant of the NGate malware family has emerged, utilizing a trojanized Android application to illicitly capture payment card data and personal identification numbers (PINs). Research published by ESET on April 21 reveals that this latest campaign has replaced previous tools with a modified version of HandyPay, a legitimate near-field communication (NFC) relay app. This modification enables attackers to intercept and reuse sensitive financial information.
According to the researchers, the malicious iteration of HandyPay has been distributed since November 2025, primarily targeting users in Brazil. Once installed, the app relays NFC payment card data from victims to devices controlled by the attackers, facilitating fraudulent contactless transactions and ATM withdrawals.
Two distinct malware samples have been observed, both delivered through phishing infrastructure hosted on the same domain. One sample impersonates a Brazilian lottery site, while the other mimics a Google Play listing for a card protection tool.
Trojanized App Enables Stealthy NFC Abuse
In a departure from traditional malware-as-a-service (MaaS) kits, the operators have ingeniously modified HandyPay to integrate malicious functionality. The legitimate app allows users to share NFC card data between devices, a feature that attackers have repurposed to forward payment information discreetly.
Victims are lured into installing the app manually after engaging with counterfeit websites. Since the app is not available on official platforms, Android prompts users during installation to permit apps from unknown sources.
Once installed, the malware executes several actions:
- Captures NFC data from payment cards tapped on the device
- Requests and records the victim’s card PIN
- Transmits both data sets to attacker-controlled infrastructure
Read more on mobile banking malware: APK Malformation Found in Thousands of Android Malware Samples
Distinct from many Android threats, the trojanized app requires minimal permissions, leveraging its role as the default payment application. This design choice aids in evading detection while ensuring full functionality.
GenAI Suspected in Malware Development
Evidence suggests that the malicious code may have been partially generated using generative AI tools. Researchers have identified emoji markers within debug logs, a characteristic often linked to AI-assisted code generation.
While this does not serve as definitive proof, the findings resonate with a broader trend where threat actors employ large language models (LLMs) to expedite malware development.
This campaign also signifies a shift in NFC-based fraud techniques. Earlier NGate variants relied on open-source tools such as NFCGate, but the latest operations increasingly merge NFC relay capabilities with banking trojan features.
ESET has shared its findings with Google, and Google Play Protect is equipped to detect known versions of the malware. Additionally, the developer of HandyPay has reportedly been notified and is currently investigating the misuse of its application.
