21.04.2026
5 min
173
A new wave of Android malware NGate targets users in Brazil, allowing them to steal bank card details and PIN codes for further financial transactions.
Cybercrime investigators reported that hackers began distributing the Android malware “NGate” through HandyPay — a legitimate app.
Hackers have made significant changes to their method of distribution. Unlike before, they did not utilize the standard NFCGate application. Instead, hackers utilized the HandyPay application and infected it with malicious code.
According to ESET, the attackers merely took an existing application (HandyPay) designed to transmit information using Near Field Communication (NFC). They added to the original application a piece of malicious code which was presumably written or modified by means of Artificial Intelligence. Therefore, although the overall operation and function of the application remained unchanged, it now possessed the capability to execute covert functions.
Similar to past operations utilizing NGate, attackers possess the capability to intercept customers’ credit/debit card information as a result of being within proximity (using NFC) to a customer’s mobile phone. That information is then transmitted to another device owned/controlled by the hacker. This creates opportunities for fraudsters to commit unauthorized transactions against a victim’s account using contactless transactions as well as withdraw funds directly from the victim’s ATM without his/her consent.
Additionally, the malicious payload has the capacity to capture and send the victim’s Personal Identification Number (PIN) entered into their mobile phone to a remote location that controls the hacker’s server. Essentially, this grants the hacker complete access to the victim’s finances.
NGate is not a new threat. It was originally described in August 2024, and then identified again after hackers conducted additional campaigns referred to as RatOn. During RatOn, hackers developed false applications that mimicked adult versions of TikTok that contained malware.
However, unlike previous campaigns targeting consumers worldwide, this particular campaign clearly focuses on Brazil.
A large-scale attack using NGate has not occurred in Brazil until recently.
This campaign utilizes social engineering tactics to lure victims to websites that resemble lotto games run by the Rio de Prêmios lottery. Once on one of these websites, users will be offered a chance to “win” if they agree to follow a link that directs them to WhatsApp. Once redirected to WhatsApp, users will be prompted to download a Trojanized version of HandyPay. Users who elect to download HandyPay will be asked to grant HandyPay permission to serve as their default payment application.
Users will be directed to enter their debit/credit card PIN; apply their debit/credit card to their mobile device; and proceed with the transaction. It is at this point in time that the hackers will collect the credit/debit card holder’s data (i.e., credit/debit card number and expiration date), which will be transmitted to the hackers.
Importantly, HandyPay has never appeared in Google Play. All aspects of this campaign are centered around tricking users into downloading apps from outside of Google Play.
Researchers claim that this campaign has been active since November 2025. HandyPay has stated that it is investigating the situation internally.
Furthermore, researchers claimed that ESET found something else quite interesting regarding this campaign. Researchers discovered emoji characters inside both the code and messaging associated with HandyPay. These emoji characters may suggest that hackers employed Large Language Models (LLM) while developing or modifying this malware. While researchers do not know for certain whether or how LLMs were used, this discovery aligns with current trends indicating increasing adoption of Generative AI by cyber-criminals for purposes of creating malware.
Regarding why hackers chose HandyPay for their campaign, researchers believe it may have been due to cost savings. Subscription fees for HandyPay appear less expensive than alternative options available for attacking others, some of which can exceed $400 monthly. Furthermore, HandyPay requires fewer permissions in order to operate. Since HandyPay is required to be designated as your default payment application, it remains undetected for longer periods of time.
Finally, ESET believes that we are seeing an increase in use of NFC-based threats. Historically, attackers primarily utilized pre-existing tools and methods for conducting such attacks. However, today’s attackers are increasingly adapting legitimate applications in order to fit their nefarious intentions and transform them into tools for robbing people of their money.
