New NGate Malware Variant Hides Inside Trojanized HandyPay NFC App to Steal Payment Card Data
ESET researchers have uncovered a new NGate malware variant that trojanizes the legitimate Android NFC relay app HandyPay, enabling attackers to steal payment card data and PINs for contactless ATM cash-outs.
ESET researchers have discovered a new variant of the NGate malware family that takes a novel approach to NFC-based payment fraud. Instead of relying on the open-source NFCGate tool used in previous campaigns, this variant trojanizes the legitimate Android application HandyPay, a legitimate app designed to relay NFC data between devices. The malicious code, which shows signs of being AI-generated, allows attackers to intercept NFC data from victims' payment cards and relay it to their own devices for contactless ATM withdrawals and unauthorized payments.
The campaign has been active since November 2025 and specifically targets Android users in Brazil. The trojanized HandyPay app is distributed through two primary channels: a website impersonating the Brazilian lottery Rio de Prêmios and a fake Google Play page promoting a supposed card protection app. Both distribution sites were hosted on the same domain, strongly suggesting a single threat actor is behind the operation. This is not the first NGate campaign to target Brazil; ESET's H2 2025 Threat Report highlighted that NFC-based attacks are expanding into new regions, with Brazil previously targeted by a variant called PhantomCard.
The malicious code embedded in HandyPay serves two primary purposes. First, it relays NFC data from the victim's payment card to the attacker's device, enabling contactless transactions. Second, it captures the victim's payment card PIN and exfiltrates it to the operators' command-and-control server. This combination of capabilities allows attackers to perform ATM cash-outs and make unauthorized payments without needing physical access to the victim's card.
ESET researchers believe the threat actors chose to trojanize HandyPay rather than use existing malware-as-a-service (MaaS) kits like NFU Pay or TX-NFC due to cost considerations. NFU Pay advertises its product for nearly $400 per month, while TX-NFC costs around $500 per month. In contrast, HandyPay only asks for a €9.99 per month donation, making it a significantly cheaper alternative. Additionally, HandyPay natively requires no special permissions beyond being set as the default payment app, helping the attackers avoid raising suspicion.
The malicious code used to trojanize HandyPay shows signs of having been produced with the help of generative AI tools. Specifically, the malware logs contain emoji typical of AI-generated text, suggesting that large language models were involved in generating or modifying the code. This fits a broader trend in which GenAI is lowering the barrier to entry for cybercriminals, enabling them to create sophisticated malware with less technical expertise.
Google has been notified of the findings through the App Defense Alliance partnership, and Google Play Protect, which is enabled by default on Android devices with Google Play services, automatically blocks known versions of this malware. ESET also reached out to the HandyPay developer, who confirmed they are conducting an internal investigation. The trojanized version of HandyPay has never been available on the official Google Play store.
This discovery highlights the evolving sophistication of NFC-based attacks and the increasing use of legitimate applications as vehicles for malware. As the ecosystem supporting NFC threats becomes more robust, with MaaS offerings like NFU Pay and TX-NFC actively marketed on Telegram, threat actors are experimenting with fresh social engineering approaches and combining NFC abuse with banking trojan capabilities. Users are advised to only download apps from official app stores and to be cautious of unsolicited links or websites promoting security or payment applications.