New NGate variant hides in a trojanized NFC cost app

ESET Analysis has came upon a brand new variant of the NGate malware circle of relatives that abuses a valid Android software known as HandyPay, as a substitute of the up to now leveraged NFCGate instrument. The risk actors took the app, which is used to relay NFC records, and patched it with malicious code that looks to were AI-generated. As with earlier iterations of NGate, the malicious code permits the attackers to switch NFC records from the sufferer’s cost card to their very own tool and use it for contactless ATM cash-outs and unauthorized bills. Moreover, the code too can seize the sufferer’s cost card PIN and exfiltrate it to the operators’ C&C server.

Key issues of this blogpost:

• ESET researchers came upon a brand new NGate malware variant abusing the reputable Android HandyPay software.
• To trojanize HandyPay, risk actors probably used GenAI, indicated by way of emoji left within the logs which can be conventional of AI-generated textual content.
• The marketing campaign has been ongoing since November 2025 and objectives Android customers in Brazil.
• Aside from relaying NFC records, the malicious code additionally steals cost card PINs.
• We noticed two NGate samples being dispensed within the assaults: one by way of a faux lottery site, the opposite thru a faux Google Play site. Each websites had been hosted at the similar area, strongly implying a unmarried risk actor.

The assaults goal customers in Brazil, with the trojanized app being dispensed basically thru a site impersonating a Brazilian lottery, Rio de Prêmios, in addition to by way of a faux Google Play web page for a meant card coverage app. This isn’t the primary NGate marketing campaign to take purpose at Brazil: as we described in our H2 2025 Danger Record, NFC‑founded assaults are increasing into new areas (see Determine 1) whilst leveraging extra subtle techniques and strategies, with Brazil particularly being centered by way of a variant of NGate known as PhantomCard. Attackers are experimenting with recent social engineering approaches and an increasing number of combining NFC abuse with banking trojan functions.

We imagine that the marketing campaign distributing trojanized HandyPay started round November 2025 and stays energetic on the time of penning this blogpost. It will have to even be famous that the maliciously patched model of HandyPay hasn’t ever been to be had at the authentic Google Play retailer. As an App Protection Alliance spouse, we shared our findings with Google. Android customers are mechanically safe in opposition to identified variations of this malware by way of Google Play Give protection to, which is enabled by way of default on Android gadgets with Google Play products and services.

We additionally reached out to the HandyPay developer to alert them concerning the malicious use in their software. After setting up communique, they showed that they’re undertaking an interior investigation on their facet.

HandyPay abuse

Because the selection of NFC threats helps to keep emerging, so is the ecosystem supporting them changing into extra powerful. The primary NGate assaults hired the open-source NFCGate instrument to facilitate the switch of NFC records. Since then, a number of malware-as-a-service (MaaS) choices with equivalent capability, reminiscent of NFU Pay and TX‑NFC, have turn into that can be purchased. Those kits are actively advertised to associates on Telegram (one such commercial is depicted in Determine 2). As an example, the aforementioned PhantomCard assaults that still centered Brazil hired NFU Pay to facilitate records switch. In relation to the marketing campaign described on this blogpost, then again, the risk actors made up our minds to head with their very own answer and maliciously patched an current app – HandyPay.

HandyPay (authentic site) is an Android app that has been to be had on Google Play since 2021. It allows relaying NFC records from one tool to any other, which can be utilized to percentage a card with a circle of relatives member, permit one’s kid to make a one-time acquire, and so on. The knowledge is first learn at the cardholder’s tool after which shared with a related tool. After the customers hyperlink their accounts by way of e mail, the cardholder scans their cost card by way of NFC, upon which the encrypted records is transferred over the web to the paired tool. That tool can then execute tap-to-pay movements the use of the unique cardholder’s card. For the method to paintings, the customers wish to set HandyPay because the default cost app and check in with Google or an email-based token.

As in line with the developer’s site, the app features a level of monetization (see Determine 3): the use of the app as a reader is unfastened (“Visitor get entry to”), however to emulate the cardboard on a paired tool (“Person get entry to”), you supposedly wish to subscribe for €9.99 monthly. The web site, then again, frames this charge as a donation and the cost isn’t discussed at the authentic Google Play retailer web page.

Why did the operators of this marketing campaign make a decision to trojanize the HandyPay app as a substitute of going with a longtime answer for relaying NFC records? The solution is understated: cash. The subscription charges for current MaaS kits run within the loads of bucks: NFU Pay advertises its product for nearly US$400 monthly, whilst TX-NFC is going for round US$500 monthly. HandyPay, alternatively, is considerably inexpensive, best requesting the €9.99 monthly donation, if even that. Along with the fee, HandyPay natively does no longer require any permissions, best to be made the default cost app, serving to the risk actors steer clear of elevating suspicion.

As we already alluded to within the advent, the malicious code used to trojanize HandyPay presentations indicators of getting been produced with the assistance of GenAI gear. Particularly, the malware logs comprise emoji conventional of AI-generated textual content (see the code snippet in Determine 4), suggesting that LLMs had been enthusiastic about producing or enhancing the code, even though definitive evidence stays elusive. This suits a broader development during which GenAI lowers the barrier to access for cybercriminals, enabling risk actors with restricted technical talent to supply workable malware.

Research of the marketing campaign

Focused on

In accordance with the distribution vectors and the language model of the trojanized app, the marketing campaign objectives Android customers in Brazil. Whilst examining the attackers’ C&C server, we additionally discovered logs from 4 compromised gadgets, all geolocated in Brazil. The knowledge contained captured PIN codes, IP addresses, and timestamps related to the assaults.

Preliminary get entry to

As a part of the marketing campaign, we seen two NGate samples. Even though they’re dispensed one after the other, they’re hosted at the similar area and use the similar HandyPay app, indicating a coordinated operation carried out by way of the similar malicious risk actors. The distribution glide of each samples is depicted in Determine 5.

The primary NGate pattern is sent thru a site that impersonates Rio de Prêmios, a lottery run by way of the Rio de Janeiro state lottery group (Loterj). The web site presentations a scratch card recreation the place the consumer is meant to expose 3 matching symbols, with the end result rigged in order that the consumer all the time “wins” R$20,000 (see Determine 6). As a way to declare the prize, the consumer is requested to faucet a button that opens the reputable WhatsApp with a prefilled message addressed to a predefined WhatsApp quantity, as proven in Determine 7. To extend credibility, the related WhatsApp account makes use of a profile symbol that impersonates Caixa Econômica Federal, Brazil’s government-owned financial institution that manages the vast majority of lotteries within the nation.

That is most probably the place the sufferer is directed to the patched HandyPay app masquerading because the Rio de Prêmios app, which is hosted at the similar server because the pretend lottery site. Right through trying out, we didn’t obtain a answer from the attacker’s WhatsApp account, however we characteristic that not to the use of a Brazilian telephone quantity.

The second one NGate pattern is sent by way of a faux Google Play internet web page as an app named Proteção Cartão (system translation: Card Coverage). The screenshots in Determine 8 display that sufferers need to manually obtain and set up the app, compromising their gadgets with trojanized HandyPay within the procedure. We noticed malicious apps with equivalent names being utilized in an October 2025 marketing campaign focused on Brazil that deployed the PhantomCard variant of NGate.

Execution glide

An outline of the operational glide of the trojanized HandyPay app is proven in Determine 9.

First, the sufferer must manually set up a trojanized model of HandyPay, for the reason that app is best to be had outdoor Google Play. When a consumer faucets the obtain app button of their browser, Android mechanically blocks the set up and presentations a suggested asking them to permit set up from this supply. The consumer merely must faucet Settings in that suggested, permit “Permit from this supply”, go back to the obtain display, and proceed putting in the app. As soon as put in, the app asks to be set because the default cost app, which may also be noticed in Determine 10. This capability isn’t malicious, because it is a part of the authentic HandyPay app. The true malware injected within the code doesn’t want this surroundings to be enabled at the sufferer’s telephone to relay NFC records; best the tool receiving the information, i.e., the operator tool, wishes this surroundings enabled. No additional permissions are required (see Determine 11), serving to the malicious app keep below the radar.

The sufferer is then requested to go into their cost card PIN into the app, and faucet their card at the again of the smartphone with NFC enabled. The malware abuses the HandyPay provider to ahead NFC card records to an attacker-controlled tool, enabling the risk actor to make use of the sufferer’s cost card records to withdraw coins from ATMs. The operator’s tool is related to an e mail deal with hardcoded throughout the malicious app, making sure that every one captured NFC site visitors is routed completely to the attacker. Now we have seen two other attacker e mail addresses getting used within the analyzed samples. On best of the usual batch of information this is transferred within the NFC relay, the sufferer’s cost card PIN is exfiltrated one after the other to a devoted C&C server over HTTP (see Determine 12), no longer depending on HandyPay infrastructure. The C&C endpoint for PIN harvesting additionally purposes because the distribution server, centralizing each supply and data-collection operations.

Conclusion

With the illusion of but any other NGate marketing campaign at the scene, it may be it seems that noticed that NFC fraud is on the upward thrust. This time, as a substitute of the use of a longtime answer reminiscent of NFCGate or a MaaS on be offering, the risk actors made up our minds to trojanize HandyPay, an software with current NFC relay capability. The top chance that GenAI was once used to lend a hand with the introduction of the malicious code demonstrates how cybercrooks can do hurt by way of abusing LLMs even with out the desire for technical experience.

For any inquiries about our analysis printed on WeLiveSecurity, please touch us at threatintel@eset.com. 

ESET Analysis provides personal APT intelligence studies and knowledge feeds. For any inquiries about this provider, consult with the ESET Danger Intelligence web page.

IoCs

A complete checklist of signs of compromise (IoCs) and samples may also be present in our GitHub repository

Information

Community

MITRE ATT&CK ways

This desk was once constructed the use of model 18 of the MITRE ATT&CK framework.