A New Variant of NGate Malware Emerges, Targeting NFC Payment Systems
In a concerning development in cybersecurity, a new variant of the NGate malware family has come to light. This variant exploits a trojanized Android application to siphon off sensitive payment card data and PINs from unwitting users. Research published by ESET on April 21 reveals that this malware campaign has shifted its tactics, replacing traditional methods with a modified version of a legitimate near-field communication (NFC) relay app known as HandyPay.
Targeting Brazilian Users
The researchers from ESET have indicated that the malicious iteration of HandyPay has been circulating since November 2025, with a primary focus on users in Brazil. The new functionality introduced by the attackers enables them to intercept and reuse critical financial information, facilitating fraudulent contactless transactions and ATM withdrawals.
Once the trojanized app is installed on a victim’s device, it initiates the process of relaying NFC payment card data to devices controlled by the attackers. This intricate operation allows them to execute unauthorized transactions without raising alarms with both the users and security systems.
Implementation Through Deceptive Channels
The ESET research examined two distinct malware samples, both deployed through phishing schemes hosted on the same domain. One of these samples impersonates a popular Brazilian lottery site, while the other deceives users by mimicking a listing on Google Play for a card protection tool. Such tactics illustrate the sophisticated methods employed by cybercriminals to lure victims into the trap.
The malicious version of HandyPay instructs users to manually install the app after they engage with these fraudulent websites. As the app is not available on official stores, Android devices prompt users to allow installations from unknown sources, thereby creating an avenue for the malware to infiltrate the system.
The Malicious App’s Functionality
Once installed, the trojanized HandyPay app executes several malicious actions designed to extract sensitive data effectively. These actions include:
- Capturing NFC data from payment cards that are tapped on the infected device.
- Requesting and recording the victim’s card PIN.
- Transmitting both data sets directly to infrastructure controlled by the attackers.
This level of functionality allows the malware to operate covertly, taking advantage of the app’s legitimate purpose while simultaneously undermining users’ security.
Stealthy Operations Amidst a Changing Threat Landscape
One notable aspect of this new variant is its requirement for minimal permissions compared to traditional malware. By cleverly positioning itself as the default payment application, the malware can function effectively without raising immediate suspicions. This design strategy not only facilitates its operational success but also aids in evading detection by users and security measures.
The Role of Generative AI in Malware Development
Further investigation into the code behind this latest variant has raised eyebrows, as there is evidence to suggest that generative AI tools may have played a role in its development. Researchers have identified unusual emoji markers within debug logs, which are often associated with AI-assisted code generation. While this isn’t definitive proof, it points to an emerging trend where cybercriminals utilize large language models (LLMs) to expedite malware creation, effectively enhancing their capabilities.
An Evolving Landscape of Threats
This upsurge in sophisticated NFC-based fraud techniques signifies a worrying evolution in malware tactics. Previous NGate variants had relied heavily on open-source tools, such as NFCGate, to exploit vulnerabilities. However, the newer methodologies are merging NFC relay functions with features typically found in banking trojans, indicating an escalation in the complexity of their operations.
In response to these alarming developments, ESET has alerted Google to their findings. In a statement, Google confirmed that Google Play Protect is equipped to detect known versions of this malware. Furthermore, the developers of HandyPay have also reportedly been notified and are currently investigating the misuse of their application.
As cyber threats continue to evolve, both users and developers must remain vigilant in protecting themselves against these malicious campaigns. The emergence of this new variant underscores the importance of being cautious when interacting with unknown applications, especially in an age where digital transactions are increasingly common.