NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs

What happened

ESET researchers have identified a new iteration of the NGate Android malware family that trojanizes HandyPay, a legitimate NFC relay application, to steal contactless payment card data and PINs from victims in Brazil. The campaign, assessed to have begun around November 2025, marks the first time NGate has specifically targeted Brazil.

The trojanized HandyPay app is distributed through two channels: fake websites impersonating Rio de Prêmios, a Rio de Janeiro state lottery, and a counterfeit Google Play Store listing for a purported card protection app. The lottery lure directs victims to send a WhatsApp message to claim a prize, after which they are prompted to download the poisoned app. Once installed, the app requests to be set as the default payment application, then asks the victim to enter their card PIN and tap their NFC-enabled card against the phone. The malware captures and relays the NFC card data to an attacker-controlled device, enabling cash withdrawals from ATMs.

HandyPay was selected over established tools partly because of its lower cost compared to existing malware-as-a-service solutions that run over $400 per month, and partly because it requires no additional permissions beyond being set as the default payment app, reducing the chance of raising suspicion. Analysis of the malware revealed emojis in debug messages, suggesting AI-generated or AI-modified code. ESET noted this aligns with a broader trend of threat actors using generative AI to produce malware with minimal technical expertise. HandyPay has launched an internal investigation.

Who is affected

Brazilian users are the primary targets of this campaign. Anyone who installed the trojanized app through the fake lottery site or counterfeit Play Store listing faces exposure of both their payment card NFC data and their PIN, enabling direct financial theft at ATMs.

Why CISOs should care

NFC relay attacks are maturing quickly. NGate has now evolved through multiple iterations, expanded geographically, and shifted to trojanizing legitimate applications rather than relying on purpose-built malware tools. The use of AI-generated code lowers the barrier for new actors to enter this space, and the lottery social engineering lure shows attackers are tailoring delivery to local context rather than using generic campaigns.

For organizations operating in Brazil or managing mobile-first workforces, this campaign is a concrete indicator that NFC-based payment fraud is no longer a niche threat. The ability to capture a PIN alongside card data makes this particularly damaging, since it enables full card emulation rather than just contactless transaction fraud.

3 practical actions

1. Brief employees and customers on sideloaded app risks in markets with active NGate campaigns: The trojanized HandyPay app is not and has never been on the Google Play Store. Reinforce that payment applications should only be installed from verified official sources, and that lottery prize claims requiring app downloads are a reliable red flag.
2. Review mobile device management policies for default payment app controls: The malware’s first request after installation is to become the default payment app. MDM policies that restrict or require approval for default app changes on managed devices would interrupt this attack chain at an early stage.
3. Monitor for NFC relay attack indicators in fraud detection systems: Transactions initiated from a relayed NFC source may exhibit timing anomalies or geographic inconsistencies relative to the cardholder’s known location. Ensure fraud detection rules account for relay attack patterns, not just card-not-present fraud.

Also in the news today:

• Dozens of Malicious Crypto Apps Land in Apple App Store
• Data Breaches at Healthcare Organizations in Illinois and Texas Affect 600,000
• New Lotus Data Wiper Used Against Venezuelan Energy and Utility Firms
• Italian Regulator Fines National Postal Service Organizations $15 Million for Data Privacy Violations
• Unsecured Perforce Servers Expose Sensitive Data From Major Organizations
• Ransomware Negotiator Pleads Guilty to Aiding BlackCat Attacks in 2023