New NGate Malware Variant Exploits HandyPay App to Steal NFC Payment Data in Brazil

Severity: High (Score: 67.5)

Sources: Bleepingcomputer, github.com, Feeds2.Feedburner, www.welivesecurity.com

Summary

ESET Research has identified a new variant of the NGate malware family that targets Android users in Brazil by embedding malicious code in a trojanized version of the HandyPay app. This malware exploits the app's legitimate functionality to relay NFC payment data, allowing attackers to steal card information and PINs for unauthorized transactions. The campaign, active since November 2025, utilizes social engineering tactics to distribute the malware through a fake Google Play page and a fraudulent lottery website. The trojanized HandyPay app has never been available on the official Google Play store, and users are advised to avoid downloading APKs from untrusted sources. ESET's findings indicate that the malware may have been developed using generative AI tools, as evidenced by the presence of emojis in the code. Android users are protected against known versions of this malware through Google Play Protect. ESET has communicated with both Google and the HandyPay developer regarding this issue. Key Points: • A new NGate malware variant targets Android users in Brazil via a trojanized HandyPay app. • The malware captures NFC payment data and PINs for unauthorized transactions. • The campaign has been active since November 2025, using social engineering for distribution.

Key Entities

• Malware (attack_type)
• Trojan (attack_type)
• Zero-day Exploit (attack_type)
• NGate Campaign (campaign)
• Caixa Econômica Federal (company)
• Loterj (company)
• Rio De Prêmios (company)
• Brazil (country)
• CWE-200 - Exposure of Sensitive Information (cwe)
• spy.ngate.cc (domain)
• Ngate (malware)
• PhantomCard (malware)
• T1566.002 - Spearphishing Link (mitre_attack)
• Android (platform)
• Google Play (platform)
• HandyPay (platform)
• NFC (platform)
• WhatsApp (platform)
• GenAI (tool)
• NfcGate (tool)