Cybersecurity researchers have discovered a new version of an Android malware family called NGate. This version was found to be exploiting a legitimate application called HandyPay instead of NFCGate.
“The attackers obtained an app used to relay NFC data and patched it with malicious code that appears to be AI-generated,” ESET security researcher Lukasz Stefanko said in a report shared with The Hacker News. “Similar to NGate before it, this malicious code allows attackers to transfer NFC data from a victim’s payment card to their own device and use it to make contactless ATM withdrawals and fraudulent payments.”
In addition, the malicious payload could capture the victim’s payment card PIN and leak it to the threat actor’s command and control (C2) server.
NGate, also known as NFSkate, was first publicly documented by a Slovak cybersecurity vendor in August 2024, detailing its ability to carry out relay attacks to siphon victims’ contactless payment data for the purpose of fraudulent transactions.
A year later, Dutch mobile security company ThreatFabric revealed details of a threat codenamed RatOn that uses a dropper app masquerading as an adult version of TikTok and deploys NGate to perform NFC relay attacks.
The latest version of NGate detected by ESET primarily targets users in Brazil, making it the first campaign to name a South American country. The Trojanized HandyPay application is distributed through a website that pretends to be Rio de Prêmios, a lottery run by the Rio de Janeiro state lottery organization, and through a Google Play Store listing page that purports to be a card protection app.
Fake lottery websites try to entice users to tap a button and send a WhatsApp message to claim their winnings. At that point, you will be directed to download a potentially harmful version of the HandyPay app. Regardless of the method used, this app will prompt you to set it as your default payment app after installation.
Victims are then asked to enter their payment card PIN into the app and tap the card on the back of their NFC-enabled smartphone. As soon as this step is executed, the malware exploits HandyPay to capture NFC card data and relay it to an attacker-controlled device. This allows the attacker to use the stolen information to withdraw cash from the ATM.
The active campaign is estimated to have begun around November 2025. The malicious version of HandyPay was never available on the Google Play Store. This means that attackers are using the aforementioned methods as a delivery mechanism to trick unsuspecting users into downloading. HandyPay has since launched an internal investigation into the matter.
ESET noted that HandyPay’s low subscription price may have prompted campaign operators to make the switch rather than continue with their existing turnkey solution, which costs more than $400 per month. “In addition to price, HandyPay natively requires no permissions and can help threat actors avoid arousing suspicion by simply making it the default payment app,” the company noted.
Analysis of the artifacts revealed the presence of emojis in debug and toast messages, highlighting the possibility that large-scale language models (LLMs) were used to generate or modify the source code. Although conclusive evidence remains elusive, this development is consistent with a broader trend of cybercriminals leveraging generative artificial intelligence (AI) to create malware even with little or no technical expertise.
“With the emergence of yet another NGate campaign, it is clear that NFC fraud is on the rise,” ESET said. “This time, instead of using established solutions such as NFCGate and MaaS, which are provided, the attackers decided to trojanize HandyPay, an application with existing NFC relay functionality.”
Source link
