When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Android malware NGate steals NFC data through HandyPay app

A trojanized HandyPay application is used by threat actors to grab the NFC payment data of android users

Neowin · with 5 comments

A person paying with an iPhone using NFC

A campaign in November 2025, which targeted Android users in Brazil, is still active and rising at an alarming rate. ESET researchers have discovered a new variant of the NGate malware family that uses a trojanized version of the HandyPay application to steal NFC payment data of Android users. Research suggests that the source code for the malware was written using a GenAI.

The threat actors are mainly targeting Android users in Brazil. This was found while analyzing the attackers' C&C server. This is done with the trojanized app widely circulated through a fake website impersonating a Brazilian lottery, "Rio de Prêmios", as well as through a fake Google Play page. When asked about this to HandyPay, they confirmed that an internal investigation is ongoing on their side.

Code snippet of the Ngate malware
Code snippet
Image via ESEST

A massive use of GenAI is used to develop malware. As seen in the above code snippet, the malware logs contain emojis, which are generally seen in AI-generated texts. This suggests that LLMs were used to modify or generate the code, although there is no conclusive proof.

Operational flow of the trojanized application
Image via ESET

The start of the attack is done through the lottery page, where the victim clicks on the 'Button to claim prize' and installs the trojanized HandyPay apk. Once installed, the apk behaves as the original application, which makes it difficult for the user to detect anything unusual. The user is then asked to enter the PIN of the card into the app and tap the card at the back of the smartphone with NFC enabled. While in the background, the malware collects the victim's payment information and card data and relays it to the hacker. With this done, the threat actor can use this relayed data to perform contactless transactions as well as withdraw cash from the ATM.

While explaining, ESET said, "The operator’s device is linked to an email address hardcoded within the malicious app, ensuring that all captured NFC traffic is routed exclusively to the attacker. We have observed two different attacker email addresses being used in the analyzed samples. On top of the standard batch of data that is transferred in the NFC relay, the victim’s payment card PIN is exfiltrated separately to a dedicated C&C server over HTTP, not relying on HandyPay infrastructure. The C&C endpoint for PIN harvesting also functions as the distribution server, centralizing both delivery and data-collection operations".

Over the growing use of NFC payments, experts warn to be wary of such attacks and install applications from official sources. The use of Generative AI also triggers the idea that a person without technical expertise is bound to hack into payment systems.

Image via Depositphotos

An image showing Rufus creating Windows 11 install USB
Next Article

Rufus gets big update with silent Windows 11 installation, new bloat removal tools and more

Telegram logo
Previous Article

Telegram faces UK ban threat as Ofcom launches massive safety investigation

5 Comments

Load the comments and join the conversation!

Read the comments, ask the editors questions, show respect and join the conversation.

Click here