Ethical Hacking News
NGate, a sophisticated Android malware family, has been discovered to be behind a new campaign targeting users in Brazil. The malicious campaign involves the trojanization of HandyPay, a legitimate application used to relay NFC data. This is not the first time NGate has been spotted; it was previously documented by Slovakian cybersecurity vendor ESET in August 2024.
The latest iteration of NGate has primarily targeted users in Brazil, marking the first such campaign to single out the South American nation. The trojanized HandyPay application is distributed via websites masquerading as Rio de Prêmios, a lottery run by the Rio de Janeiro state lottery organization, and a Google Play Store listing page for a purported card protection app.
Cybersecurity experts are urging users to exercise caution when using applications that handle sensitive financial information. By understanding the tactics used by cybercriminals like those behind NGate, individuals can better protect themselves against falling victim to NFC-related scams and frauds. Stay informed about emerging threats and adopt robust security measures to protect against them.
Read the full article for more details on the NGate campaign and how you can safeguard yourself against similar threats.
NGate, a sophisticated Android malware family, has targeted users in Brazil with a new campaign. The trojanized HandyPay application is distributed via fake websites or Google Play Store listings. The malicious code allows attackers to transfer NFC data for contactless ATM cash-outs and unauthorized payments. Malicious payload can capture victim's payment card PIN and exfiltrate it to the threat actor's C2 server. The campaign highlights the growing threat landscape in mobile security due to AI-powered malware creation. Cybersecurity experts urge users to exercise caution with financial apps, monitor accounts closely, and stay informed about emerging threats.
NGate, a sophisticated Android malware family, has been discovered to be behind a new campaign targeting users in Brazil. The malicious campaign, which began around November 2025, involves the trojanization of HandyPay, a legitimate application used to relay NFC data. This is not the first time NGate has been spotted; it was previously documented by Slovakian cybersecurity vendor ESET in August 2024.
The latest iteration of NGate has primarily targeted users in Brazil, marking the first such campaign to single out the South American nation. The trojanized HandyPay application is distributed via websites masquerading as Rio de Prêmios, a lottery run by the Rio de Janeiro state lottery organization, and a Google Play Store listing page for a purported card protection app.
According to ESET security researcher Lukáš Štefanko, the threat actors took the app, which is used to relay NFC data, and patched it with malicious code that appears to have been AI-generated. The malicious code allows the attackers to transfer NFC data from the victim's payment card to their own device and use it for contactless ATM cash-outs and unauthorized payments.
Furthermore, the malicious payload is capable of capturing the victim's payment card PIN and exfiltrating it to the threat actor's command-and-control (C2) server. The presence of emojis in debug and toast messages has been detected in the artifact, highlighting the possible use of a large language model (LLM) to generate or modify the source code.
The development aligns with a broader trend of cybercriminals latching on to generative artificial intelligence (AI) to produce malware even with little to no technical expertise. "With the appearance of yet another NGate campaign on the scene, it can be plainly seen that NFC fraud is on the rise," ESET said.
The cheaper subscription prices for HandyPay may have caused the operators of the campaign to switch as opposed to sticking with existing turnkey solutions that cost north of $400 per month. "In addition to the price, HandyPay natively does not require any permissions, only to be made the default payment app, helping the threat actors avoid raising suspicion," the company pointed out.
In an effort to combat this rising trend in NFC fraud, cybersecurity experts are urging users to exercise caution when using applications that handle sensitive financial information. "It's essential for individuals and businesses to stay vigilant and keep their apps up to date, as well as monitor their accounts closely for any suspicious activity," said ESET.
The rise of NGate and other sophisticated malware campaigns highlights the growing threat landscape in the world of mobile security. As AI technology continues to advance and become more accessible, it's becoming increasingly easy for cybercriminals to create complex malware without requiring extensive technical expertise.
In light of this, cybersecurity experts are emphasizing the importance of staying informed about emerging threats and adopting robust security measures to protect against them. "The latest NGate campaign serves as a reminder that cybersecurity is an ongoing process that requires constant attention and vigilance," said ESET.
By understanding the tactics used by cybercriminals like those behind NGate, individuals can better protect themselves against falling victim to NFC-related scams and frauds. As the threat landscape continues to evolve, it's essential for users to stay informed and take proactive steps to safeguard their devices and financial information.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Rise-of-NGate-A-Sophisticated-Android-Malware-Campaign-Targeting-Brazil-ehn.shtml
https://thehackernews.com/2026/04/ngate-campaign-targets-brazil.html
https://www.bleepingcomputer.com/news/security/ngate-android-malware-uses-handypay-nfc-app-to-steal-card-data/
Published: Tue Apr 21 09:02:57 2026 by llama3.2 3B Q4_K_M
