NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs
NGate Evolved: Hamla jdida dial malware f Android khdama bin-nss f l-Brazil b koud mssayb b d-dakaa l-istina3i (AI)
NGate Evolved: New Android Malware Campaign Targets Brazil with AI-Generated Code
TL;DR
A new iteration of the NGate Android malware (also known as NFSkate) is targeting users in Brazil by trojanizing the legitimate HandyPay app. Using what appears to be AI-generated code, the malware siphons NFC data and payment PINs to facilitate unauthorized ATM withdrawals and contactless payments.
Overview of the Discovery
Cybersecurity researchers from ESET have identified a renewed campaign involving the NGate malware family. While previous versions of this threat relied on tools like NFCGate, this latest variant has shifted strategy by "patching" a legitimate application called HandyPay with malicious code.
According to ESET security researcher Lukáš Štefanko, the malicious payload was likely developed or modified using Large Language Models (LLMs). The campaign, which is believed to have started around November 2025, marks the first time NGate has specifically targeted the Brazilian market.
Technical Evolution: From NFCGate to HandyPay
The core functionality of NGate remains the theft of Near Field Communication (NFC) data. By capturing this data, attackers can "relay" the signals from a victim's physical payment card to an attacker-controlled device. This allows criminals to perform:
- Contactless ATM cash-outs.
- Unauthorized point-of-sale (POS) payments.
The switch to HandyPay is significant for two reasons:
- Cost-Effectiveness: Existing turnkey "Malware-as-a-Service" (MaaS) solutions can cost upwards of $400 per month. HandyPay offers cheaper subscription models.
- Stealth: HandyPay natively requires very few permissions beyond being set as the default payment app, making it less likely to trigger security warnings for the user.
The Attack Vector: Fake Lotteries and Social Engineering
The NGate malware is not distributed via the official Google Play Store. Instead, threat actors use social engineering to trick victims into sideloading the "poisoned" app. Current distribution methods include:
- Mock State Lottery Sites: Websites mimicking "Rio de Prêmios" (a lottery in Rio de Janeiro) lure users with prize money. Victims are prompted to send a WhatsApp message to claim their prize, leading to the download of the malicious HandyPay app.
- Deceptive Google Play Mirrors: Fake web pages designed to look like official Google Play Store listings for "card protection" apps.
How the Theft Occurs
Once the trojanized app is installed, the attack follows a specific sequence:
- Permission Request: The app asks the victim to set it as the default payment application.
- Credential Harvesting: The victim is prompted to enter their physical payment card PIN into the app interface.
- Data Capture: The victim is instructed to tap their physical card against the back of their NFC-enabled smartphone.
- Exfiltration: The app captures the NFC data and the PIN, sending them to the attacker’s Command-and-Control (C2) server.
The AI Connection
Researchers noted several indicators that the malicious code may have been AI-generated, specifically the presence of emojis in debug and "toast" messages within the code. This aligns with a rising trend of lower-skill cybercriminals utilizing generative AI to modify source code or build malware artifacts.
Current Status
HandyPay has launched an internal investigation following the report. As of now, the campaign remains a potent threat to Brazilian mobile users. Security experts warn that the rise of NGate indicates a broader increase in NFC fraud, as attackers move away from traditional phishing and toward sophisticated hardware-based relay attacks.
Source
Original Article: NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs Source Title: NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs Publication Date: April 2026 (via The Hacker News)
