NGate Malware Exploits HandyPay App to Steal NFC Data and PINs in Brazil
Cybersecurity experts have identified a new variant of the Android malware family known as NGate, which now targets Brazilian users by compromising the legitimate HandyPay application. This malicious campaign involves embedding harmful code into HandyPay, enabling attackers to intercept Near Field Communication (NFC) data and Personal Identification Numbers (PINs) from victims’ payment cards.
Lukáš Štefanko, a security researcher at ESET, reported that the attackers modified HandyPay—a legitimate app used for relaying NFC data—by injecting it with malicious code that appears to have been generated using artificial intelligence. This alteration allows cybercriminals to transfer NFC data from a victim’s payment card to their own device, facilitating unauthorized contactless ATM withdrawals and payments. Additionally, the malware captures the victim’s payment card PIN and transmits it to the attackers’ command-and-control (C2) server.
Evolution of NGate Malware
Initially documented in August 2024, NGate, also referred to as NFSkate, was recognized for its capability to perform relay attacks, extracting contactless payment data from victims to execute fraudulent transactions. By August 2024, the malware had been observed targeting three banks in Czechia, utilizing malicious progressive web apps (PWAs) and WebAPKs to deceive users into installing the malware. The primary objective was to clone NFC data from victims’ physical payment cards and transmit this information to an attacker-controlled device, which would then emulate the original card to withdraw money from ATMs.
In August 2024, Dutch mobile security firm ThreatFabric detailed a threat named RatOn, which employed dropper apps masquerading as adult-friendly versions of TikTok to deploy NGate for NFC relay attacks. These incidents underscored the malware’s adaptability and the increasing sophistication of cybercriminal tactics.
Current Campaign in Brazil
The latest iteration of NGate has been primarily targeting users in Brazil, marking the first campaign to focus on this South American country. The compromised HandyPay application is disseminated through websites impersonating Rio de Prêmios—a lottery operated by the Rio de Janeiro state lottery organization—and a counterfeit Google Play Store page for a purported card protection app.
On the fake lottery website, users are prompted to click a button to send a WhatsApp message to claim their prize money. This action redirects them to download the malicious version of the HandyPay app. Once installed, the app requests to be set as the default payment application.
Subsequently, victims are instructed to enter their payment card PIN into the app and tap their card against the back of their NFC-enabled smartphone. Upon completing this step, the malware exploits HandyPay to capture and relay the NFC card data to a device controlled by the attackers. This process enables cybercriminals to use the stolen information for unauthorized ATM cash withdrawals.
The campaign is believed to have commenced around November 2025. Notably, the malicious version of HandyPay has never been available on the official Google Play Store. Instead, attackers have relied on deceptive methods to trick unsuspecting users into downloading the compromised app. In response, HandyPay has initiated an internal investigation into the matter.
Economic and Technical Considerations
ESET researchers suggest that the lower subscription costs associated with HandyPay may have influenced the attackers’ decision to switch from existing solutions, which can cost over $400 per month. Furthermore, HandyPay’s native functionality does not require any special permissions beyond being set as the default payment app, reducing the likelihood of raising user suspicion.
Artificial Intelligence in Malware Development
An analysis of the malicious code revealed the presence of emojis in debug and toast messages, indicating the possible use of large language models (LLMs) to generate or modify the source code. While definitive proof is lacking, this development aligns with a broader trend of cybercriminals leveraging generative artificial intelligence to create malware, even with minimal technical expertise.
Broader Implications and Related Threats
The emergence of this NGate campaign highlights the growing prevalence of NFC fraud. In previous instances, NGate has been used to relay victims’ contactless payment data from physical credit and debit cards to attacker-controlled devices, facilitating fraudulent operations. For example, in August 2024, NGate targeted three banks in Czechia, employing malicious PWAs and WebAPKs to deceive users into installing the malware.
Additionally, other malware families like SuperCard X have exploited NFC technology to commit financial fraud using inventive relay techniques. These methods allow NFC signals from a victim’s payment card to be routed through a compromised phone to attacker-controlled devices, enabling criminals to withdraw cash from ATMs remotely.
Another related technique, referred to as Ghost Tap, involves attackers using stolen card data to register them in their own digital wallets, such as Google Pay and Apple Pay. The loaded wallets are then relayed to conduct fraudulent contactless payments globally. In these cases, attackers create fraudulent transactions by tapping compromised mobile devices against NFC-enabled payment terminals. These transactions appear legitimate, bypassing traditional security checks and allowing criminals to cash out quickly.
Protective Measures and Recommendations
To safeguard against such threats, users are advised to download applications exclusively from official app stores and verify the authenticity of apps before installation. Be cautious of unsolicited messages or emails prompting the installation of apps or the entry of sensitive information. Regularly updating device software and security applications can also help protect against known vulnerabilities.
As cybercriminals continue to refine their methods, staying informed about emerging threats and adopting proactive security practices are essential steps in mitigating the risk of falling victim to such sophisticated attacks.
