A new and significantly more dangerous iteration of the NGate malware has been discovered, cunningly concealed within a compromised Near Field Communication (NFC) payment application. Researchers suggest that threat actors may have leveraged artificial intelligence in developing this malicious code, signaling a critical evolution in cybercriminal tactics and tools. This sophisticated NGate malware targets Android users by masquerading as a legitimate application named HandyPay, a genuine app available on Google Play since 2021, designed for relaying NFC data between devices for various everyday uses, including card sharing.
Attackers have demonstrably modified this authentic app, embedding malicious functionalities before distributing it through unofficial channels, entirely bypassing the Google Play Store. Upon installation on an unsuspecting victim’s device, this trojanized version silently pilfers payment card data via NFC and transmits it to a server controlled by the attackers. This stolen card information can then be illicitly used for contactless ATM withdrawals and unauthorized payments, presenting a substantial threat to financial security.
Understanding the Advanced NGate Malware Threat
Beyond the theft of NFC data, the NGate malware possesses the capability to capture a victim’s payment card PIN, relaying this sensitive information to the attacker’s command-and-control (C2) server using HTTP communication. Analysts at WeLiveSecurity identified this latest NGate variant, noting that the malicious code exhibited characteristics indicative of AI generation. These included the presence of emojis within log entries, a common artifact of text produced by large language models. The active campaign, which has been ongoing since November 2025, continues to specifically target Android users within Brazil, according to the report.
The distribution strategy for these attacks is multifaceted, employing two distinct channels. The first involves a deceptive lottery website that impersonates a Brazilian state lottery organization, Rio de Premios. This fraudulent site presents a seemingly rigged scratch card game where users are guaranteed to win R$20,000. Following this “win,” users are instructed to send a WhatsApp message to claim their prize, which then leads them to download the trojanized application. The second distribution channel operates through a faux Google Play page, offering the malware under the guise of an application named Protecao Cartao, which translates to “Card Protection” in English. Both of these deceptive websites were hosted on the same domain, providing strong evidence that a single threat actor is orchestrating the entire operation, leveraging advanced techniques for broader reach and impact.
How the Trojanized App Operates and Evades Detection
Once a user installs the counterfeit HandyPay application, the infection process commences with a seemingly innocuous yet highly effective setup. The application prompts the user to designate it as the default NFC payment application on their device. This request is not inherently suspicious, as it aligns with the legitimate functionality of the original HandyPay app. Crucially, the malware then entices the victim to enter their payment card PIN and subsequently tap their physical card on the back of their phone. At this precise moment, the malware skillfully reads the NFC card data, relaying it through what appears to be the standard HandyPay relay service to the attacker’s device, which is linked to a hardcoded email address embedded within the malicious code itself.
A significant factor contributing to the heightened danger of this particular NGate variant is its ability to relay NFC data without requiring any special permissions on the victim’s device. The malicious application’s sole requirement is to be set as the default payment app, allowing the attack to operate well below the awareness thresholds of typical permission-based security scrutiny. The card PIN is exfiltrated separately to the C2 server, thus equipping potential attackers with all the necessary components to execute both unauthorized contactless payments and illicit ATM cash withdrawals, compromising user security extensively.
To mitigate the risks associated with such sophisticated threats, users are strongly advised to exclusively download payment applications directly from official sources, such as the Google Play Store, and to conscientiously avoid installing applications from third-party websites or through links shared via messaging applications. Enabling Google Play Protect on Android devices offers an additional layer of robust protection, as it is designed to automatically detect known versions of this evolving malware. Furthermore, users should exercise extreme caution and never input their payment card PIN into a newly installed or unfamiliar application, particularly one that purports to be a prize or card protection tool. If a payment app requests NFC access without originating from a trusted and verifiable source, it should be uninstalled immediately, and the incident should be promptly reported to the relevant financial institution or card issuer to enable swift investigation and recourse.