ESET Research has discovered a new variant of the NGate malware family that abuses a legitimate Android application called HandyPay, instead of the previously leveraged NFCGate tool. The threat actors took the app, which is used to relay NFC data, and patched it with malicious code that appears to have been AI generated. As with previous iterations of NGate, the malicious code allows the attackers to transfer NFC data from the victim’s payment card to their own device and use them for contactless ATM cash-outs and unauthorized payments. Additionally, the code can capture the victims’ payment card PINs and exfiltrate them to the operators’ C&C server. The primary targets of this are users in Brazil; however, NFC-based attacks are expanding into new regions.
The malicious code used to trojanize HandyPay shows signs of having been produced with the help of GenAI tools. Specifically, the malware logs contain an emoji typical of AI-generated text, suggesting that LLMs were involved in generating or modifying the code, although definitive proof remains elusive. This fits a broader trend in which GenAI lowers the barrier to entry for cybercriminals, enabling threat actors with limited technical skill to produce workable malware.
ESET Research believes that the campaign distributing the trojanized HandyPay began around November 2025 and remains active. It should also be noted that the maliciously patched version of HandyPay has never been available on the official Google Play store. As an App Defense Alliance partner, we shared our findings with Google. ESET also reached out to the HandyPay developers to alert them about the malicious use of their application.
As the number of NFC threats keeps rising, so too has the ecosystem supporting them become more robust. The first NGate attacks employed the open-source NFCGate tool to facilitate the transfer of NFC data. Since then, several malware-as-a-service (MaaS) offerings with similar functionality have become available for purchase. However, in this campaign the threat actors decided to go with their own solution and maliciously patched an existing app – HandyPay.
The first new NGate sample is distributed through a website that impersonates Rio de Prêmios, a lottery run by the Rio de Janeiro state lottery organization (Loterj). The second NGate sample is distributed via a fake Google Play web page as an app named Proteção Cartão (machine translation: Card Protection). Both sites were hosted on the same domain, strongly implying a single threat actor. The malware abuses the HandyPay service to forward NFC card data to an attacker-controlled device. Apart from relaying NFC data, the malicious code also steals payment card PINs, enabling the threat actor to use the victim’s payment card data to withdraw cash from ATMs.
For a more detailed analysis of the new NGate variant, check out the latest ESET Research blog post, “New NGate variant hides in a trojanized NFC payment app,” on WeLiveSecurity.com.
Like this:
Like Loading...
Related
This entry was posted on April 23, 2026 at 10:04 am and is filed under Commentary with tags ESET. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
ESET Research: New NGate hides in NFC payment app and possibly built with AI
ESET Research has discovered a new variant of the NGate malware family that abuses a legitimate Android application called HandyPay, instead of the previously leveraged NFCGate tool. The threat actors took the app, which is used to relay NFC data, and patched it with malicious code that appears to have been AI generated. As with previous iterations of NGate, the malicious code allows the attackers to transfer NFC data from the victim’s payment card to their own device and use them for contactless ATM cash-outs and unauthorized payments. Additionally, the code can capture the victims’ payment card PINs and exfiltrate them to the operators’ C&C server. The primary targets of this are users in Brazil; however, NFC-based attacks are expanding into new regions.
The malicious code used to trojanize HandyPay shows signs of having been produced with the help of GenAI tools. Specifically, the malware logs contain an emoji typical of AI-generated text, suggesting that LLMs were involved in generating or modifying the code, although definitive proof remains elusive. This fits a broader trend in which GenAI lowers the barrier to entry for cybercriminals, enabling threat actors with limited technical skill to produce workable malware.
ESET Research believes that the campaign distributing the trojanized HandyPay began around November 2025 and remains active. It should also be noted that the maliciously patched version of HandyPay has never been available on the official Google Play store. As an App Defense Alliance partner, we shared our findings with Google. ESET also reached out to the HandyPay developers to alert them about the malicious use of their application.
As the number of NFC threats keeps rising, so too has the ecosystem supporting them become more robust. The first NGate attacks employed the open-source NFCGate tool to facilitate the transfer of NFC data. Since then, several malware-as-a-service (MaaS) offerings with similar functionality have become available for purchase. However, in this campaign the threat actors decided to go with their own solution and maliciously patched an existing app – HandyPay.
The first new NGate sample is distributed through a website that impersonates Rio de Prêmios, a lottery run by the Rio de Janeiro state lottery organization (Loterj). The second NGate sample is distributed via a fake Google Play web page as an app named Proteção Cartão (machine translation: Card Protection). Both sites were hosted on the same domain, strongly implying a single threat actor. The malware abuses the HandyPay service to forward NFC card data to an attacker-controlled device. Apart from relaying NFC data, the malicious code also steals payment card PINs, enabling the threat actor to use the victim’s payment card data to withdraw cash from ATMs.
For a more detailed analysis of the new NGate variant, check out the latest ESET Research blog post, “New NGate variant hides in a trojanized NFC payment app,” on WeLiveSecurity.com.
Share this:
Like this:
Related
This entry was posted on April 23, 2026 at 10:04 am and is filed under Commentary with tags ESET. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.