Imagine downloading what looks like a legitimate payment app, entering your card PIN as instructed, and tapping your card against your phone — exactly as you would with any contactless payment. Within seconds, a stranger on the other side of Brazil withdraws cash from your bank account at an ATM. No malicious link clicked. No suspicious permission granted. Just a tap.
This is how NGate malware’s newest variant works, and ESET researchers confirmed in April 2026 that the campaign targeting Android users in Brazil — active since November 2025 — shows no signs of stopping.
What Is NGate?
NGate is a family of Android malware purpose-built to abuse NFC (Near Field Communication) technology. Earlier variants relied on a tool called NFCGate to relay payment card data from victims’ phones to attackers’ devices. The new variant takes a different approach: it trojanizes HandyPay, a legitimate NFC relay application available on Google Play since 2021.
ESET researcher Lukáš Štefanko, who discovered the variant, explained the mechanics directly:
“The threat actors took the app, which is used to relay NFC data, and patched it with malicious code that appears to have been AI-generated. As with previous iterations of NGate, the malicious code allows the attackers to transfer NFC data from the victim’s payment card to their own device and use it for contactless ATM cash-outs and unauthorized payments.” — Lukáš Štefanko, ESET Research (via The Hacker News)
ESET attributed two separate NGate samples to the same threat actor, both distributed from the same domain and built on the same modified HandyPay application.
Why Attackers Chose HandyPay for NGate Malware Android Attack
The attackers could have licensed an off-the-shelf malware-as-a-service (MaaS) solution. Underground NFC relay tools charge steep fees: NFU Pay advertises at nearly $400/month, while TX-NFC runs around $500/month. HandyPay, by contrast, asks for a €9.99/month donation — or nothing at all.
Beyond cost, HandyPay carries another advantage: it requires virtually no Android permissions. It only needs to be set as the default payment app, a request that raises far less suspicion than apps demanding access to contacts, SMS, or storage.
This cost-benefit calculation reveals something important — sophisticated attacks no longer require sophisticated budgets.
How This Android NFC Malware Attack Actually Works
Step 1: The Lure
The campaign deploys two distribution vectors:
Vector 1 — Fake Lottery Website: Threat actors built a counterfeit site impersonating Rio de Prêmios, a lottery run by the Rio de Janeiro state lottery organization. Visitors play a rigged scratch card game that always awards R$20,000. Clicking “Redeem my prize now” opens WhatsApp with a pre-filled message directed to an attacker-controlled number.
The associated WhatsApp account uses a profile photo impersonating Caixa Econômica Federal, Brazil’s government-owned bank. The victim then receives a link to download the trojanized HandyPay APK, disguised as the official Rio de Prêmios app.
Vector 2 — Fake Google Play Page: A counterfeit Google Play listing distributes the malware under the name Proteção Cartão (“Card Protection”). Victims manually download and sideload the APK after bypassing Android’s built-in warning.
The trojanized HandyPay application has never appeared on the official Google Play Store.
Step 2: Installation and Trust Building
Once installed, the app behaves identically to the legitimate HandyPay application. It requests one thing: to be set as the default NFC payment app. This is standard HandyPay behavior, so victims see nothing unusual.
Step 3: Data Theft
The app prompts victims to enter their payment card PIN and tap their card against the device with NFC enabled. While this appears to be routine payment setup, the malware simultaneously:
- Relays NFC card data from the victim’s card to an attacker-controlled device, enabling contactless transactions and ATM withdrawals
- Exfiltrates the card PIN separately over HTTP to a dedicated command-and-control (C&C) server, entirely independent of HandyPay’s own infrastructure
ESET’s analysis of the attacker’s C&C server found logs from four compromised devices, all geolocated in Brazil, containing captured PINs, IP addresses, and timestamps — evidence of real-world exploitation already in motion.
How AI Is Used in NGate Malware Android Attack
One of the most significant findings involves the malware’s code itself. ESET researchers noticed emoji characters embedded in the malware’s log strings — a pattern strongly associated with output from large language models. While definitive proof of AI involvement remains elusive, ESET assessed that threat actors likely used generative AI to produce or assist in writing the malicious code.
This fits a documented and growing trend: cybercriminals using LLMs to generate functional malicious code without needing deep programming expertise. The barrier to entry for sophisticated attacks keeps falling.
As ESET concluded in their report:
“The high likelihood that GenAI was used to help with the creation of the malicious code demonstrates how cybercrooks can do harm by abusing LLMs even without the need for technical expertise.” — ESET Research, WeLiveSecurity
How Attackers Manage NGate Malware Data and Servers
The attackers built a lean operation. A single C&C server handles both APK distribution and PIN harvesting, centralizing delivery and data collection in one place. The attacker’s device links to an email address hardcoded within the malicious app, ensuring all captured NFC traffic routes exclusively to the attacker.
ESET observed two different attacker email addresses across the analyzed samples.
Known Indicators of Compromise (IoCs):
| Type | Value | Details |
|---|---|---|
| APK | 48A0DE6A43FC6E49318AD6873EA63FE325200DBC | Android/Spy.NGate.CC |
| APK | A4F793539480677241EF312150E9C02E324C0AA2 | Android/Spy.NGate.CB |
| APK | 94AF94CA818697E1D99123F69965B11EAD9F010C | Android/Spy.NGate.CB (Rio de Prêmios variant) |
| Domain | protecaocartao[.]online | NGate distribution website (Cloudflare, first seen 2025-11-08) |
| IP | 108.165.230[.]223 | NGate C&C server (BattleHost, first seen 2025-11-09) |
Full IoC list: ESET GitHub Repository
MITRE ATT&CK Mapping
| Tactic | ID | Technique |
|---|---|---|
| Initial Access | T1660 | Phishing via dedicated fake websites |
| Credential Access | T1417.002 | GUI Input Capture (PIN harvesting via fake text field) |
| Exfiltration | T1646 | Exfiltration Over C2 Channel (HTTP PIN exfiltration) |
ESET notified Google through the App Defense Alliance after discovering the trojanized application. ESET also contacted the HandyPay developer directly. The developer confirmed an internal investigation is underway. As of publication, the trojanized app has not appeared on the official Google Play Store.
How to Protect Yourself from NGate Malware Android Attack
Security experts offer clear guidance in response to this campaign’s growth:
- Install apps only from the official Google Play Store. Never sideload APKs received via WhatsApp, SMS, or lottery websites.
- Never enter your payment card PIN into a mobile app unless you are completely certain of its legitimacy.
- Keep NFC disabled when not actively using it. Enable it only for specific transactions.
- Enable Google Play Protect. It detects and blocks known NGate variants.
- Treat unsolicited prize notifications with extreme suspicion. Legitimate lotteries do not contact winners through WhatsApp links.
NFC payment fraud is expanding — geographically and operationally. The NGate campaign’s shift from purpose-built malware tools to trojanizing a legitimate, low-cost application reflects a broader strategic evolution among threat actors: cheaper infrastructure, AI-assisted development, and social engineering sophisticated enough to bypass technical safeguards entirely.
The weapon here is not a zero-day exploit or a novel vulnerability. It is trust in a familiar app interface, in the appearance of a government lottery, in the routine act of tapping a card to a phone.
As NFC payments grow globally, campaigns like this one will follow.
