NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs

Summary

Cybersecurity researchers discovered a new NGate Android malware campaign targeting Brazil that compromises the legitimate HandyPay application with AI-generated malicious code. The trojanized app steals NFC contactless payment card data and PINs, enabling attackers to conduct unauthorized ATM withdrawals and fraudulent transactions. The malware is distributed via fake lottery websites and fraudulent Google Play Store listings, with the campaign active since November 2025.

Full text

NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs Ravie LakshmananApr 21, 2026Mobile Security / Artificial Intelligence Cybersecurity researchers have discovered a new iteration of an Android malware family called NGate that has been found to abuse a legitimate application called HandyPay instead of NFCGate. "The threat actors took the app, which is used to relay NFC data, and patched it with malicious code that appears to have been AI-generated," ESET security researcher Lukáš Štefanko said in a report shared with The Hacker News. "As with previous iterations of NGate, the malicious code allows the attackers to transfer NFC data from the victim's payment card to their own device and use it for contactless ATM cash-outs and unauthorized payments." In addition, the malicious payload is capable of capturing the victim's payment card PIN and exfiltrating it to the threat actor's command-and-control (C2) server. NGate, also known as NFSkate, was first publicly documented by the Slovakian cybersecurity vendor in August 2024, detailing its ability to carry out relay attacks to siphon victims' contactless payment data with an aim to conduct fraudulent transactions. A year later, Dutch mobile security company ThreatFabric detailed a threat codenamed RatOn that used dropper apps impersonating adult-friendly versions of TikTok to deploy NGate to carry out NFC relay attacks. The latest version of NGate detected by ESET has primarily targeted users in Brazil, marking the first such campaign to single out the South American nation. The trojanized HandyPay application is distributed via websites masquerading as Rio de Prêmios, a lottery run by the Rio de Janeiro state lottery organization, and a Google Play Store listing page for a purported card protection app. The fake lottery website seeks to convince a user to tap a button to send a WhatsApp message to claim the prize money, at which point they are directed to likely download the poisoned version of the HandyPay app.Regardless of the method used, the app asks to be set as the default payment app following installation. Then, the victim is asked to enter the payment card PIN into the app and tap their card on the back of the NFC-enabled smartphone. As soon as this step is carried out, the malware abuses HandyPay to capture and relay the NFC card data to an attacker-controlled device, thereby allowing them to use the stolen information to make cash withdrawals from ATMs. The active campaign is assessed to have begun around November 2025. The malicious version of HandyPay has never been made available on the Google Play Store, meaning attackers are using the aforementioned methods as delivery mechanisms to trick unsuspecting users into downloading them. HandyPay has since launched an internal investigation into the matter. ESET noted that the cheaper subscription prices for HandyPay may have caused the operators of the campaign to switch as opposed to sticking with existing turnkey solutions that cost north of $400 per month. "In addition to the price, HandyPay natively does not require any permissions, only to be made the default payment app, helping the threat actors avoid raising suspicion," the company pointed out. An analysis of the artifact has revealed the presence of emojis in debug and toast messages, highlighting the possible use of a large language model (LLM) to generate or modify the source code. While conclusive proof remains elusive, the development aligns with a broader trend of cybercriminals latching on to generative artificial intelligence (AI) to produce malware even with little to no technical expertise. "With the appearance of yet another NGate campaign on the scene, it can be plainly seen that NFC fraud is on the rise," ESET said. "This time, instead of using an established solution such as NFCGate or a MaaS on offer, the threat actors decided to trojanize HandyPay, an application with existing NFC relay functionality." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Android, artificial intelligence, cybersecurity, Financial Crime, mobile security, NFC Fraud, social engineering, Threat Intelligence Trending News 108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released OpenAI Launches GPT-5.4-Cyber with Expanded Access for Security Teams Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials Why Security Leaders Are Layering Email Defense on Top of Secure Email Gateways Why Threat Intelligence Is the Missing Link in CTEM Prioritization and Validation The Hidden Security Risks of Shadow AI in Enterprises Your MTTD Looks Great. Your Post-Alert Gap Doesn't Popular Resources Discover Key AI Security Gaps CISOs Face in 2026 Fix Rising Application Security Risks Driven by AI Development Automate Alert Triage and Investigations Across Every Threat How to Identify Risky Browser Extensions in Your Organization

Indicators of Compromise

• malware — NGate
• malware — NFSkate
• malware — RatOn

Entities