A new variant of the NGate malware family has been identified, leveraging a trojanized Android application to capture payment card data and PINs.
According to research published by ESET on April 21, the new campaign has replaced earlier tooling with a modified version of HandyPay, a legitimate near-field communication (NFC) relay app, which enables attackers to intercept and reuse sensitive financial data.
The researchers said the malicious version of HandyPay has been distributed since November 2025, and primarily targets users in Brazil.
Once installed, the app relays NFC payment card data from victims to attacker-controlled devices, allowing fraudulent contactless transactions and ATM withdrawals.
Two separate malware samples were observed, both delivered through phishing infrastructure hosted on the same domain. One impersonates a Brazilian lottery site, while the other mimics a Google Play listing for a card protection tool.
Trojanized App Enables Stealthy NFC Abuse
Rather than relying on established malware-as-a-service (MaaS) kits, the operators modified HandyPay to include malicious functionality.
The legitimate app allows users to share NFC card data between devices, a feature repurposed by attackers to forward payment information without raising suspicion.
Victims are instructed to install the app manually after interacting with fake websites. Because the app is not available on the official store, Android prompts users during installation to allow apps from unknown sources.
Once installed, the malware performs several actions:
-
Captures NFC data from payment cards tapped on the device
-
Requests and records the victim’s card PIN
-
Transmits both data sets to attacker-controlled infrastructure
Read more on mobile banking malware: APK Malformation Found in Thousands of Android Malware Samples
Unlike many Android threats, the trojanized app requires minimal permissions, relying instead on its role as the default payment application. This design helps it avoid detection while maintaining full functionality.
GenAI Suspected in Malware Development
Evidence suggests the malicious code may have been partially generated using generative AI tools. Researchers identified emoji markers within debug logs, which is often associated with AI-assisted code generation.
While not definitive proof, the findings align with a broader trend in which threat actors use large language models (LLMs) to accelerate malware development.
The campaign also reflects a shift in NFC-based fraud techniques. Earlier NGate variants relied on open-source tools such as NFCGate, but newer operations increasingly combine NFC relay capabilities with banking trojan features.
ESET shared its findings with Google. Google Play Protect detects known versions of the malware, said Google.
The HandyPay developer has also been allegedly notified and is investigating the misuse of its application.
