NGate Malware Trojanizes HandyPay App to Steal Contactless PINs in Brazil

ESET Research has identified a new variant of the NGate malware family that trojanizes the legitimate HandyPay Android application to steal payment card PINs and relay NFC data to attacker-controlled devices. Active since November 2025, the campaign targets Android users in Brazil, distributing the malicious app through social engineering sites masquerading as the Rio de Prêmios lottery and a fraudulent Google Play page for an app titled "Proteção Cartão." This shift is as much economic as it is technical: operators have replaced specialized Malware-as-a-Service (MaaS) kits—typically costing $400–$500 per month—with a consumer app costing roughly €9.99, significantly lowering the barrier to entry for contactless payment cybercrime.

HandyPay as a Vector: Turning Legitimate Apps into Weapons

NGate is a malware family specialized in NFC relay abuse: it intercepts payment card data from a victim's smartphone and transfers it over the internet to an attacker's device, enabling unauthorized contactless transactions or ATM withdrawals. Previously, NGate operations relied on dedicated tools like NFCGate. The variant discovered by ESET marks a departure from this trend by abusing HandyPay, a legitimate, publicly available application with a donation-based model of approximately €9.99 per month.

This choice appears calculated. Existing MaaS kits for NFC relay, such as NFU Pay and TX-NFC, can cost upwards of $500 monthly. By trojanizing HandyPay, attackers obtain equivalent functionality at a fraction of the cost, with the added benefit of hiding malicious code behind a recognized app name and icon. The compromised version was never distributed through the official Google Play Store, appearing only via external sites and WhatsApp contacts linked to the social engineering campaign.

The GenAI Footprint: Automating Malware Production

A distinctive element of ESET’s analysis concerns the likely origin of the injected code. Researchers found emojis in the malware logs that are characteristic of text produced by GenAI tools. ESET’s report maintains a cautious stance, stating that the GenAI hypothesis is highly probable, though definitive proof remains elusive. Despite this methodological reserve, the implication is significant: if confirmed, it demonstrates how accessible tools are lowering the technical threshold required to trojanize consumer applications.

The operational mechanism remains technically efficient. The trojanized app only requires being set as the default payment service on the Android device, avoiding additional permission requests that might trigger security alerts. This minimizes the visible footprint and increases the likelihood that a victim will keep the app installed long enough for the attackers to capture a PIN and transmit NFC data to the C2 server.

Distribution Vectors: Fake Lotteries and Cloned Play Stores

ESET observed two distinct NGate samples sharing the same trojanized HandyPay base and hosting domain, linking both to a single threat actor. The first sample is distributed through a site impersonating the Brazilian lottery Rio de Prêmios, offering a fake prize of approximately 20,000 real as bait. The second is delivered via a page mimicking Google Play for an app called Proteção Cartão.

The campaign exhibits deep local context: the language is Portuguese, the lure is a popular Brazilian lottery, and all four compromised devices identified in the C2 logs were geolocated in the country. ESET attempted to contact the WhatsApp number associated with the fraudulent site using non-Brazilian numbers but received no response, suggesting the operators may be using geographic filtering.

"To trojanize HandyPay, threat actors most probably used GenAI, indicated by emoji left in the logs that are typical of AI-generated text." — ESET Research

Mitigation and Security Recommendations

• Ensure Android devices have Google Play services active and Google Play Protect enabled; the system automatically blocks known versions of this malware on updated, non-modified devices.
• Install NFC payment applications exclusively from the official Google Play Store, avoiding links received via WhatsApp, SMS, or email, even if they appear to be linked to known services like lotteries or financial institutions.
• Retailers and developers of legitimate payment apps should implement code integrity checks and anti-tampering mechanisms, as the trojanization of consumer apps is becoming a low-cost vector for cybercrime.
• Financial institutions operating in Brazil and other high-penetration contactless markets should monitor for anomalous transaction patterns consistent with NFC relay, including ATM withdrawals far from a cardholder's usual location.

The Democratization of NFC Relay: Cost as a Weapon

The strategic relevance of this discovery extends beyond Brazil. The adoption of HandyPay as a vector suggests a form of criminal disintermediation: attackers no longer require massive budgets for specialized kits when they can trojanize a consumer app for a few euros. If GenAI becomes a standard method for modifying malicious code, the lifecycle from conception to distribution could shrink further.

Brazil serves as a laboratory for this hybrid model, combining localized social engineering, NFC relay, and PIN theft with economically scalable tools. With technical feasibility proven, the remaining variable is how quickly this stack will be replicated in other regions dependent on contactless payments. ESET has contacted the developer of HandyPay, who confirmed that an internal investigation is underway. Regardless of the outcome, pressure on consumer app providers to harden source code and binaries is expected to intensify.

Information verified via cited sources and accurate at the time of publication.

Sources

• https://www.welivesecurity.com/en/eset-research/new-ngate-variant-hides-in-a-trojanized-nfc-payment-app/