Trojanized HandyPay App Fuels New Wave of NFC Fraud Targeting Brazil
ESET has uncovered a new NGate malware variant that uses a trojanized version of the legitimate HandyPay NFC relay app to steal payment app to steal card data and PINs from Android users, primarily in Brazil.
ESET researchers have identified a new variant of the NGate malware family that repurposes a legitimate Android app to steal payment card data and PINs. The campaign, detailed in a report published April 21, uses a trojanized version of HandyPay, a legitimate near-field communication (NFC) relay application, to intercept and forward sensitive financial information to attacker-controlled devices. The malicious app has been distributed since November 2025 and primarily targets users in Brazil.
The malware operates by relaying NFC payment card data from victims' devices to attackers, enabling fraudulent contactless transactions and ATM withdrawals. ESET observed two separate malware samples, both delivered through phishing infrastructure hosted on the same domain. One sample impersonates a Brazilian lottery site, while the other mimics a Google Play listing for a card protection tool. Victims are instructed to manually install the app after interacting with these fake websites, bypassing official app stores.
Unlike many Android threats, the trojanized HandyPay requires minimal permissions. It relies on being set as the default payment application on the device, a design that helps it avoid detection while maintaining full functionality. Once installed, the malware captures NFC data from payment cards tapped on the device, requests and records the victim's card PIN, and transmits both data sets to attacker-controlled infrastructure.
The campaign reflects a shift in NFC-based fraud techniques. Earlier NGate variants relied on open-source tools such as NFCGate, but newer operations increasingly combine NFC relay capabilities with banking trojan features. Evidence suggests the malicious code may have been partially generated using generative AI tools; researchers identified emoji markers within debug logs, which is often associated with AI-assisted code generation.
ESET shared its findings with Google, which confirmed that Google Play Protect detects known versions of the malware. The HandyPay developer has also been notified and is investigating the misuse of its application. The campaign underscores the growing sophistication of mobile financial fraud, as threat actors continue to adapt legitimate tools for malicious purposes.