Cybersecurity researchers have found a new NGate Android malware campaign targeting users in Brazil since around November 2025, with the trojanized app used to relay NFC payment data and steal card PINs for contactless ATM cash-outs and unauthorized payments.
KEY FACTS
- Malware family The campaign uses NGate, also known as NFSkate, a family focused on NFC relay attacks.
- Delivery method Attackers disguised the app as a lottery-related download and as a card protection app listing.
- Behavior The malicious app captures NFC card data and the victim’s PIN, then sends it to an attacker-controlled server.
- Targeting ESET says the latest version has primarily targeted users in Brazil.
- App choice The trojanized app is based on HandyPay, an application that already supports NFC relay functions.
A technical analysis by ESET said the threat actors patched the legitimate HandyPay app with malicious code that appears to have been AI-generated. The report said the malware can move NFC data from a victim’s payment card to the attacker’s device and use it for fraud.
The campaign used websites posing as Rio de Prêmios, a Rio de Janeiro state lottery, to prompt users to send a WhatsApp message before being directed to the poisoned app. The app then asked to be set as the default payment app and requested the user’s payment card PIN and NFC tap.
According to the report, the malicious version has not been offered on Google Play. That suggests the attackers relied on external sites and social engineering to distribute the app. HandyPay has opened an internal investigation.
ESET also said the lower cost of HandyPay may have made it more attractive than existing turnkey options. The report noted emojis in debug and toast messages, which may point to the use of a large language model to create or modify the code, although that could not be confirmed.
WHY IT MATTERS
The case shows how Android malware operators are adapting existing payment apps for NFC fraud instead of relying only on older tools or malware-as-a-service offerings. It also highlights the continued use of social engineering to push users into installing apps that can expose payment data and PINs.