Executive Summary
ESET Researchers discovered a new variant of the NGate malware family that abuses a legitimate Android application called HandyPay, instead of the previously leveraged NFCGate tool. The malicious code allows attackers to transfer NFC data from the victim’s payment card to their own device and use it for contactless ATM cash-outs and unauthorized payments, while also capturing the victim’s payment card PIN and exfiltrating it to the operators’ C&C server.Key Takeaways
- Active Campaign: The campaign has been ongoing since November 2025 and targets Android users in Brazil, and remains active at the time of writing.
- AI-Assisted Malware Development: The malicious code used to trojanize HandyPay shows signs of having been produced with the help of GenAI tools. The malware logs contain emoji typical of AI-generated text, suggesting LLMs were involved. This fits a broader trend in which GenAI lowers the barrier to entry for cybercriminals, enabling threat actors with limited technical skill to produce workable malware.
- Cost-Driven Approach: Subscription fees for existing MaaS NFC kits run in the hundreds of dollars; NFU Pay advertises for almost US$400/month, while TX-NFC goes for around US$500/month. HandyPay only asks for a €9.99/month donation. Additionally, HandyPay natively requires no permissions other than being set as the default payment app, helping the threat actors avoid raising suspicion.
- Expanding NFC Threat Landscape: This is not the first NGate campaign to target Brazil. NFC-based attacks are expanding into new regions while leveraging more sophisticated tactics, with attackers experimenting with fresh social engineering approaches and increasingly combining NFC abuse with banking trojan capabilities.
- Confirmed Victims: Analysis of the attackers’ C&C server revealed logs from four compromised devices, all geolocated in Brazil, containing captured PIN codes, IP addresses, and timestamps.
Attack Vector & Execution Flow
Two NGate samples were distributed in the attacks: one via a fake lottery website, the other through a fake Google Play website. Both hosted on the same domain, suggesting a single threat actor.- Vector 1 – Fake Lottery Site: The first sample is distributed through a site impersonating Rio de Prêmios, a Brazilian state lottery. The site presents a rigged scratch card game where the user always “wins” R$20,000, then prompts the victim to contact a WhatsApp number. The associated WhatsApp account uses a profile image impersonating Caixa Econômica Federal, Brazil’s government-owned bank.
- Vector 2 – Fake Google Play Page: The second sample is distributed via a fake Google Play web page as an app named “Proteção Cartão” (Card Protection), requiring victims to manually download and install the trojanized HandyPay app.
- On-Device Execution: The victim is asked to enter their payment card PIN into the app and tap their card on the back of the smartphone with NFC enabled. The malware abuses the HandyPay service to forward NFC card data to an attacker-controlled device. The operator’s device is linked to an email address hardcoded within the malicious app, ensuring all captured NFC traffic is routed exclusively to the attacker.
- PIN Exfiltration: The victim’s payment card PIN is exfiltrated separately to a dedicated C&C server over HTTP, not relying on HandyPay infrastructure. The C&C endpoint for PIN harvesting also functions as the distribution server, centralizing both delivery and data-collection operations.
Indicators of Compromise (IoCs)
File Hashes (SHA-1)| Hash | Filename | Detection |
| 48A0DE6A43FC6E49318AD6873EA63FE325200DBC | PROTECAO_CARTAO[.]apk | Android/Spy[.]NGate[.]CC |
| A4F793539480677241EF312150E9C02E324C0AA2 | PROTECAO_CARTAO[.]apk | Android/Spy[.]NGate[.]CB |
| 94AF94CA818697E1D99123F69965B11EAD9F010C | Rio_de_Prêmios_Pagamento[.]apk | Android/Spy[.]NGate[.]CB |
| Type | Value | Role |
| Domain | protecaocartao[.]online | NGate distribution website |
| IP | 104[.]21[.]91[.]170 | NGate distribution website |
| IP | 108[.]165[.]230[.]223 | NGate C&C server |
Mitigation Options
- Avoid Sideloading Apps: The maliciously patched version of HandyPay has never been available on the official Google Play store, and victims must manually install the trojanized version outside of Google Play. Users should be advised never to install APKs from untrusted sources.
- Enable Google Play Protect: Android users are automatically protected against known versions of this malware by Google Play Protect, which is enabled by default on Android devices with Google Play services. Verify this protection is active on all managed devices.
- User Awareness on Social Engineering: The campaign employs a rigged lottery site luring users with fake prize winnings of R$20,000, directing them to WhatsApp to “claim” the reward. Employees and users should be trained to recognize such tactics.
- Monitor for Unauthorized NFC Payment App Changes: The app requests to be set as the default payment app upon installation. The malware relays NFC data without requiring this setting on the victim’s device, only needing it on the attacker’s receiving device. Enterprises should monitor default payment app changes on managed devices.
- Block Known Malicious Infrastructure: Apply network-level blocks against the obfuscated domains and IPs listed above using perimeter controls or threat intelligence feeds.
- Threat Intelligence Sharing: ESET has shared findings with Google as an App Defense Alliance partner, and the HandyPay developer has been notified and is conducting an internal investigation. Organizations should subscribe to updated IoC feeds as the campaign remains active.
MITRE ATT&CK
- T1660 – Phishing: NGate has been distributed using dedicated websites.
- T1417.002 – Input Capture (GUI): NGate tries to obtain victims’ PIN codes via a patched text box.
- T1646 – Exfiltration Over C2 Channel: NGate exfiltrates victims’ PINs over HTTP.
