A sophisticated variant of the NGate malware has emerged, embedding itself within a compromised NFC payment application. Cybercriminals have reportedly leveraged artificial intelligence to enhance the malice of this attack, marking a pivotal evolution in the construction of cyber threats.
Disguised as Legitimate Software
The malware targets Android users by masquerading as HandyPay, a genuine application available on Google Play since 2021. HandyPay facilitates NFC data exchange for practical applications such as card sharing. However, attackers have modified the app with malicious code and are distributing it outside the official Google Play Store.
Upon installation on a victim’s device, this altered version stealthily captures payment card data via NFC, transmitting it to an attacker-operated device. This enables unauthorized use of the stolen card data for ATM withdrawals and fraudulent payments.
Advanced Data Theft Techniques
Beyond NFC data theft, the malware is capable of intercepting the user’s payment card PIN and transmitting it to the attackers’ command-and-control server using HTTP. Analysts from WeLiveSecurity have identified this NGate variant, noting the presence of AI-generated code features, including emojis in log entries typical of language models.
The malware campaign has been active since November 2025, primarily targeting Android users in Brazil through distinct distribution channels.
Distribution Tactics and User Impact
The first distribution method involves a counterfeit lottery website imitating the Brazilian Rio de Premios lottery. Users are tricked with a rigged game offering a false prize, leading them to download the compromised app via WhatsApp. The second method uses a fake Google Play page to distribute the malware as Protecao Cartao, translating to Card Protection.
Both fake sites are hosted on the same domain, suggesting a singular entity behind this malicious operation.
Once installed, the app requests to become the default NFC payment application, a request that seems legitimate due to its alignment with HandyPay’s original function. The malware then captures and forwards NFC data and the card PIN to attackers.
Protecting Against NGate Malware
This NGate variant is notably dangerous due to its ability to operate without special permissions, evading standard security checks. Users are advised to download apps only from official sources such as Google Play Store and to activate Google Play Protect to detect known malware versions.
Additionally, users should avoid entering their payment card PIN into unfamiliar apps and report any suspicious activities to their bank or card issuer. Immediate uninstallation of any app requesting unauthorized NFC access is also recommended.
For ongoing updates, follow us on Google News, LinkedIn, and X, and set CSN as a preferred source on Google.
