NGate Malware Hides in Trojanized NFC Payment Apps

What happened - ESET Research discovered a new variant of the NGate Android malware that has been trojanized into the legitimate NFC relay application HandyPay. The maliciously patched HandyPay is not on the official Google Play store; attackers distributed it via a fake Brazilian lottery website and a fake Google Play page. The compromised app intercepts NFC payloads, exfiltrates them to operator infrastructure, and captures card PINs, enabling contactless ATM cash-outs and unauthorized payments. ESET links the campaign to November 2025 and reports active targeting of users in Brazil.

Technical details - The malicious build preserves the original app's behavior to avoid suspicion while inserting payloads that relay NFC frames to an attacker device able to emulate cards. ESET analysts found log strings and artifacts consistent with generative-AI authoring, notably emoji in developer-facing logs. Key technical observations include: - The trojanized app requests almost no additional permissions beyond normal HandyPay needs, reducing user suspicion and Play Protect triggers. - NFC payloads are relayed to a pre-linked attacker device via hard-coded email identifiers and exfiltrated to a command-and-control infrastructure. - The implanted code also captures PIN entry and forwards it to operators, combining NFC relay with banking-trojan capabilities. - ESET observed two distribution samples hosted on the same domain, implying a single operator or cluster.

Context and significance - This campaign is important for three reasons. First, using a trojanized, legitimate NFC helper app is a pragmatic evasive technique: the app's normal workflow (asking to be the default payment handler and guiding card taps) obviates obvious permission or UX anomalies. Second, the presence of AI-style artifacts shows how generative tools are lowering the technical barrier for sophisticated mobile malware, enabling lower-skill actors to assemble multi-stage fraud chains quickly. Third, NFC-specific attacks that pair card emulation with PIN capture directly threaten physical-cash out fraud and contactless payment systems, creating high-loss events for banks and victims.

Operational implications for practitioners - Mobile security teams, fraud teams, and platform defenders should update threat models to account for: - Trojans that preserve legitimate UX while implanting silent exfiltration channels. - Malicious builds distributed off-store but impersonating trusted brands or local services. - AI-assisted code that can make malware more polymorphic and faster to develop. Practically, this means tightening telemetry around default payment handler changes, monitoring for unusual NFC traffic or replays, flagging hard-coded remote identifiers in APKs, and expanding offline screening of popular third-party payment helpers.

What to watch - Expect attackers to reuse GenAI to produce similar payloads and to expand beyond Brazil. Watch for variants that embed multi-vector persistence, broaden permissions, or migrate to other popular NFC helper apps. Banks and platform owners should monitor for sudden spikes in contactless fraud correlated with sideloaded app distribution.

"We believe that the campaign distributing trojanized HandyPay began around November 2025 and remains active at the time of writing," ESET researchers wrote, signaling ongoing risk and the need for rapid detection and mitigation.