ESET Analysis has found a brand new variant of the NGate malware household that abuses a authentic Android software known as HandyPay, as a substitute of the beforehand leveraged NFCGate software. The risk actors took the app, which is used to relay NFC information, and patched it with malicious code that seems to have been AI-generated. As with earlier iterations of NGate, the malicious code permits the attackers to switch NFC information from the sufferer’s cost card to their very own machine and use it for contactless ATM cash-outs and unauthorized funds. Moreover, the code may seize the sufferer’s cost card PIN and exfiltrate it to the operators’ C&C server.
Key factors of this blogpost:
- ESET researchers found a brand new NGate malware variant abusing the authentic Android HandyPay software.
- To trojanize HandyPay, risk actors most likely used GenAI, indicated by emoji left within the logs which might be typical of AI-generated textual content.
- The marketing campaign has been ongoing since November 2025 and targets Android customers in Brazil.
- Other than relaying NFC information, the malicious code additionally steals cost card PINs.
- We noticed two NGate samples being distributed within the assaults: one by way of a pretend lottery web site, the opposite by means of a pretend Google Play web site. Each websites have been hosted on the identical area, strongly implying a single risk actor.
The assaults goal customers in Brazil, with the trojanized app being distributed primarily by means of a web site impersonating a Brazilian lottery, Rio de Prêmios, in addition to by way of a pretend Google Play web page for a supposed card safety app. This isn’t the primary NGate marketing campaign to take purpose at Brazil: as we described in our H2 2025 Menace Report, NFC‑based mostly assaults are increasing into new areas (see Determine 1) whereas leveraging extra refined techniques and strategies, with Brazil specifically being focused by a variant of NGate known as PhantomCard. Attackers are experimenting with contemporary social engineering approaches and more and more combining NFC abuse with banking trojan capabilities.
We imagine that the marketing campaign distributing trojanized HandyPay started round November 2025 and stays lively on the time of scripting this blogpost. It must also be famous that the maliciously patched model of HandyPay has by no means been out there on the official Google Play retailer. As an App Protection Alliance companion, we shared our findings with Google. Android customers are robotically protected towards recognized variations of this malware by Google Play Shield, which is enabled by default on Android units with Google Play providers.
We additionally reached out to the HandyPay developer to alert them concerning the malicious use of their software. After establishing communication, they confirmed that they’re conducting an inside investigation on their aspect.
HandyPay abuse
Because the variety of NFC threats retains rising, so is the ecosystem supporting them changing into extra strong. The first NGate assaults employed the open-source NFCGate software to facilitate the switch of NFC information. Since then, a number of malware-as-a-service (MaaS) choices with related performance, reminiscent of NFU Pay and TX‑NFC, have grow to be out there for buy. These kits are actively marketed to associates on Telegram (one such commercial is depicted in Determine 2). For instance, the aforementioned PhantomCard assaults that additionally focused Brazil employed NFU Pay to facilitate information switch. Within the case of the marketing campaign described on this blogpost, nonetheless, the risk actors determined to go along with their very own resolution and maliciously patched an present app – HandyPay.
HandyPay (official web site) is an Android app that has been out there on Google Play since 2021. It allows relaying NFC information from one machine to a different, which can be utilized to share a card with a member of the family, enable one’s baby to make a one-time buy, and so forth. The information is first learn on the cardholder’s machine after which shared with a linked machine. After the customers hyperlink their accounts by e-mail, the cardholder scans their cost card by way of NFC, upon which the encrypted information is transferred over the web to the paired machine. That machine can then execute tap-to-pay actions utilizing the unique cardholder’s card. For the method to work, the customers have to set HandyPay because the default cost app and register with Google or an email-based token.
As per the developer’s web site, the app features a diploma of monetization (see Determine 3): utilizing the app as a reader is free (“Visitor entry”), however to emulate the cardboard on a paired machine (“Consumer entry”), you supposedly have to subscribe for €9.99 monthly. The location, nonetheless, frames this payment as a donation and the cost is just not talked about on the official Google Play retailer web page.
Why did the operators of this marketing campaign determine to trojanize the HandyPay app as a substitute of going with a longtime resolution for relaying NFC information? The reply is straightforward: cash. The subscription charges for present MaaS kits run within the lots of of {dollars}: NFU Pay advertises its product for nearly US$400 monthly, whereas TX-NFC goes for round US$500 monthly. HandyPay, alternatively, is considerably cheaper, solely asking for the €9.99 monthly donation, if even that. Along with the value, HandyPay natively doesn’t require any permissions, solely to be made the default cost app, serving to the risk actors keep away from elevating suspicion.
As we already alluded to within the introduction, the malicious code used to trojanize HandyPay reveals indicators of getting been produced with the assistance of GenAI instruments. Particularly, the malware logs comprise emoji typical of AI-generated textual content (see the code snippet in Determine 4), suggesting that LLMs have been concerned in producing or modifying the code, though definitive proof stays elusive. This matches a broader pattern during which GenAI lowers the barrier to entry for cybercriminals, enabling risk actors with restricted technical talent to supply workable malware.
Evaluation of the marketing campaign
Focusing on
Based mostly on the distribution vectors and the language model of the trojanized app, the marketing campaign targets Android customers in Brazil. Whereas analyzing the attackers’ C&C server, we additionally discovered logs from 4 compromised units, all geolocated in Brazil. The information contained captured PIN codes, IP addresses, and timestamps related to the assaults.
Preliminary entry
As a part of the marketing campaign, we noticed two NGate samples. Though they’re distributed individually, they’re hosted on the identical area and use the identical HandyPay app, indicating a coordinated operation performed by the identical malicious risk actors. The distribution movement of each samples is depicted in Determine 5.
The primary NGate pattern is distributed by means of a web site that impersonates Rio de Prêmios, a lottery run by the Rio de Janeiro state lottery group (Loterj). The location reveals a scratch card sport the place the person is meant to disclose three matching symbols, with the result rigged in order that the person all the time “wins” R$20,000 (see Determine 6). With the intention to declare the prize, the person is requested to faucet a button that opens the authentic WhatsApp with a prefilled message addressed to a predefined WhatsApp quantity, as proven in Determine 7. To extend credibility, the related WhatsApp account makes use of a profile picture that impersonates Caixa Econômica Federal, Brazil’s government-owned financial institution that manages nearly all of lotteries within the nation.
That is probably the place the sufferer is directed to the patched HandyPay app masquerading because the Rio de Prêmios app, which is hosted on the identical server because the pretend lottery web site. Throughout testing, we didn’t obtain a reply from the attacker’s WhatsApp account, however we attribute that to not utilizing a Brazilian cellphone quantity.
The second NGate pattern is distributed by way of a pretend Google Play internet web page as an app named Proteção Cartão (machine translation: Card Safety). The screenshots in Determine 8 present that victims should manually obtain and set up the app, compromising their units with trojanized HandyPay within the course of. We noticed malicious apps with related names being utilized in an October 2025 marketing campaign concentrating on Brazil that deployed the PhantomCard variant of NGate.
Execution movement
An summary of the operational movement of the trojanized HandyPay app is proven in Determine 9.
First, the sufferer must manually set up a trojanized model of HandyPay, because the app is simply out there outdoors Google Play. When a person faucets the obtain app button of their browser, Android robotically blocks the set up and reveals a immediate asking them to permit set up from this supply. The person merely must faucet Settings in that immediate, allow “Permit from this supply”, return to the obtain display screen, and proceed putting in the app. As soon as put in, the app asks to be set because the default cost app, which will be seen in Determine 10. This performance is just not malicious, as it’s a part of the official HandyPay app. The precise malware injected within the code doesn’t want this setting to be enabled on the sufferer’s cellphone to relay NFC information; solely the machine receiving the info, i.e., the operator machine, wants this setting enabled. No additional permissions are required (see Determine 11), serving to the malicious app keep underneath the radar.
The sufferer is then requested to enter their cost card PIN into the app, and faucet their card on the again of the smartphone with NFC enabled. The malware abuses the HandyPay service to ahead NFC card information to an attacker-controlled machine, enabling the risk actor to make use of the sufferer’s cost card information to withdraw money from ATMs. The operator’s machine is linked to an e-mail tackle hardcoded throughout the malicious app, making certain that every one captured NFC visitors is routed completely to the attacker. We now have noticed two totally different attacker e-mail addresses getting used within the analyzed samples. On prime of the usual batch of information that’s transferred within the NFC relay, the sufferer’s cost card PIN is exfiltrated individually to a devoted C&C server over HTTP (see Determine 12), not counting on HandyPay infrastructure. The C&C endpoint for PIN harvesting additionally capabilities because the distribution server, centralizing each supply and data-collection operations.
Conclusion
With the looks of one more NGate marketing campaign on the scene, it may be plainly seen that NFC fraud is on the rise. This time, as a substitute of utilizing a longtime resolution reminiscent of NFCGate or a MaaS on supply, the risk actors determined to trojanize HandyPay, an software with present NFC relay performance. The excessive probability that GenAI was used to assist with the creation of the malicious code demonstrates how cybercrooks can do hurt by abusing LLMs even with out the necessity for technical experience.
For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at threatintel@eset.com.ESET Analysis presents non-public APT intelligence stories and information feeds. For any inquiries about this service, go to the ESET Menace Intelligence web page.
IoCs
A complete listing of indicators of compromise (IoCs) and samples will be present in our GitHub repository
Recordsdata
| SHA-1 | Filename | Detection | Description |
| 48A0DE6A43FC6E49318A |
PROTECAO_CART |
Android/Spy.NGate.CC | Android NGate malware. |
| A4F793539480677241EF |
PROTECAO_CART |
Android/Spy.NGate.CB | Android NGate malware. |
| 94AF94CA818697E1D991 |
Rio_de_Prêmios |
Android/Spy.NGate.CB | Android NGate malware. |
Community
| IP | Area | Internet hosting supplier | First seen | Particulars |
| 104.21.91[.]170 | protecaocart |
Cloudflare, Inc. | 2025‑11‑08 | NGate distribution web site. |
| 108.165.230[.]223 | N/A | KAUA REIS DA SILVA buying and selling as BattleHost |
2025‑11‑09 | NGate C&C server. |
MITRE ATT&CK strategies
This desk was constructed utilizing model 18 of the MITRE ATT&CK framework.
| Tactic | ID | Identify | Description |
| Preliminary Entry | T1660 | Phishing | NGate has been distributed utilizing devoted web sites. |
| Credential Entry | T1417.002 | Enter Seize: GUI Enter Seize | NGate tries to acquire victims’ PIN codes by way of a patched textual content field. |
| Exfiltration | T1646 | Exfiltration Over C2 Channel | NGate exfiltrates victims’ PINs over HTTP. |
