Cybersecurity experts have identified a new version of the NGate malware, which has been adapted to exploit the HandyPay application, a legitimate tool for NFC data transfer. This malicious activity has been primarily targeting users in Brazil. According to ESET security researcher Lukáš Štefanko, the attackers modified HandyPay with AI-generated harmful code to intercept NFC data from victims’ payment cards.
How NGate Targets NFC Data
The NGate malware, also referred to as NFSkate, was initially documented by Slovakian cybersecurity firm ESET in August 2024. Known for its ability to execute NFC relay attacks, NGate aims to extract contactless payment data, enabling the perpetrators to execute unauthorized transactions. In its latest iteration, the malware has been distributed through websites that imitate the Rio de Prêmios lottery, tricking users into downloading the compromised HandyPay app.
Once installed, the app prompts users to set it as their default payment application. Subsequently, the user is deceived into entering their card PIN and tapping their card on an NFC-enabled device. This process allows the malware to capture and transmit NFC data to a device controlled by the attackers, facilitating the misuse of the stolen information for ATM withdrawals.
Distribution Tactics and Campaign Origins
The ongoing campaign is believed to have started around November 2025. The altered HandyPay app has never been available on the Google Play Store, indicating that attackers rely on deceptive methods to circulate the app. HandyPay has initiated an internal probe to address these security breaches.
Researchers have noted that the lower subscription costs associated with HandyPay might have influenced the attackers’ decision to switch from other costly solutions. The app’s minimal permission requirements further aid in keeping the operation under the radar, as it only needs to be set as the default payment app.
AI’s Role in Malware Development
Analysis of the infected app indicates the use of emojis in debug and toast messages, suggesting the involvement of large language models in the code generation or modification process. Although definitive evidence is lacking, this aligns with a growing trend of cybercriminals leveraging generative AI to create malware with limited technical know-how.
ESET’s findings underscore a concerning rise in NFC-related fraud as cybercriminals continuously adapt their strategies. The decision to exploit HandyPay rather than established NFC solutions reflects an ongoing evolution in attack methodologies, signaling the need for enhanced vigilance among users and cybersecurity professionals alike.
