A new variant of NGate Android malware is hiding inside a trojanized version of HandyPay, a legitimate NFC relay app, in a campaign targeting users in Brazil, according to ESET Research.
Attackers are using the modified app to steal payment card data and PINs, then relay the stolen card information to devices they control for contactless ATM withdrawals and fraudulent purchases. ESET said the campaign has been active since at least November 2025.
The activity marks a shift in tactics. Earlier NGate campaigns relied on the open-source NFCGate tool. This version modifies HandyPay instead. ESET said that approach lets attackers use existing NFC relay functions while keeping costs low and avoiding extra permissions that could draw attention.
Researchers also said the malicious code shows signs of GenAI assistance. Those signs include emoji in log strings often associated with AI-generated text. ESET did not describe that as conclusive proof.
Victims are lured through two main paths. One starts with a fake Rio de Prêmios lottery site that pushes users into a WhatsApp-based scam. The other uses a counterfeit Google Play page advertising a bogus “Proteção Cartão” app. In both cases, users are tricked into sideloading the malicious app, entering their card PIN, and tapping their payment card to the phone. That gives attackers the data they need to withdraw cash or make purchases.
ESET said the malicious HandyPay build was never distributed through the official Google Play store. Google Play Protect detects known versions of the malware. ESET said it shared its findings with Google and alerted the HandyPay developer, which has opened an internal investigation.
Photo by Jonas Leupe on Unsplash
