ESET Research Center has detected a new variant of the NGate malware family that, instead of the previously used NFCGate tool, exploits a legitimate Android application called HandyPay. The attackers modified the NFC data transfer application, incorporating malicious code that appears to have been generated using artificial intelligence.
As with previous versions of NGate, the malware allows attackers to transfer NFC data from a victim’s payment card to their own device and use it for contactless ATM cash withdrawals and unauthorized payments. It can also capture victims’ payment card PINs and send them to the attackers’ command and control (C&C) server. The primary targets of this malware are located in Brazil. However, NFC-based attacks appear to be expanding to other regions.
The malicious code used to install the trojan on HandyPay shows signs of being created with the help of GenAI tools. Specifically, the log files contain an emoji that is considered a feature of AI-generated text, suggesting the possible involvement of large language models (LLMs) in its creation or modification, although there is no definitive evidence yet.
This development is part of a broader trend, according to which GenAI makes it easier for cybercriminals, allowing even people with limited technical skills to develop functional malware.
ESET Research Center estimates that the HandyPay malware distribution campaign began in November 2025 and remains active to this day. It is also worth noting that the malicious version of HandyPay was never available on the official Google Play Store. As a partner of the App Defense Alliance, ESET shared its findings with Google. At the same time, ESET contacted the developers of HandyPay to inform them about the malicious use of their application.
As the number of NFC-related threats continues to grow, the ecosystem supporting them is becoming increasingly robust. The first NGate attacks used the open-source tool NFCGate to facilitate data transfer over NFC. Since then, several malware-as-a-service (MaaS) solutions with similar functionality have appeared on the market. However, in this particular campaign, the perpetrators chose to develop their own approach, modifying an already existing application – HandyPay.
“Why did the perpetrators of this campaign decide to ‘modify’ the HandyPay app, instead of opting for an established solution for NFC data transfer? The answer is simple: money. Subscription fees for existing MaaS packages run into the hundreds of dollars. NFU Pay advertises its product for almost $400 per month, while TX-NFC costs around $500 per month. On the other hand, the legitimate HandyPay app is significantly cheaper, asking for only a donation of €9,99 per month. Furthermore, HandyPay does not inherently require any special permissions, other than being set as the default payment app, which helps the perpetrators avoid arousing suspicion,” says ESET researcher Lukáš Štefanko, who spotted the new NGate variant in a modified NFC payment app that contained a trojan.
The first new NGate variant is distributed via a website impersonating Rio de Prêmios, a public lottery program organized by the state lottery agency of Rio de Janeiro (Loterj). The second sample is distributed via a fake website that mimics Google Play, as an app called Proteção Cartão (automatic translation: “Card Protection”). Both websites were hosted on the same domain, which strongly suggests that a single threat actor is behind the attack.
The malware exploits the HandyPay service to forward NFC card data to a device controlled by the attacker. In addition to transferring NFC data, the malicious code also intercepts payment card PINs, allowing the attacker to use the victim's card details to withdraw cash from ATMs.
For a more detailed analysis of the new NGate variant, read the latest ESET Research Center blog post titled "New NGate variant hides in trojan-infected NFC payment app», At WeLiveSecurity.com.
Geographic distribution of NGate attacks from January 2025 to February 2026
Although the press releases will range from very select to rare, I said I'd pass...because sometimes the editors hide.
