NGate Malicious Campaign

Cybersecurity analysts have identified a new variant of the Android malware family known as NGate, which now exploits a legitimate application called HandyPay rather than relying on NFCGate. This evolution highlights a shift in attacker strategy, leveraging trusted tools to enhance the effectiveness and stealth of malicious operations.

The attackers modified HandyPay, an application originally designed to relay NFC data, by injecting malicious code. Indicators suggest that portions of this code may have been generated using artificial intelligence.

Similar to earlier NGate variants, this modified application enables attackers to intercept and transfer NFC data from a victim’s payment card to a device under their control. This stolen data is subsequently used for contactless ATM withdrawals and unauthorized transactions.

In addition to data interception, the malware is capable of capturing the victim’s payment card PIN and transmitting it to a remote Command-and-Control (C2) server, significantly increasing the risk of financial compromise.

From NFSkate to RatOn: The Malware’s Expanding Playbook

NGate, also referred to as NFSkate, first emerged publicly in August 2024 when researchers documented its ability to perform NFC relay attacks aimed at harvesting contactless payment data for fraudulent use. Over time, its delivery mechanisms and operational tactics have evolved.

By 2025, a related campaign identified as RatOn introduced dropper applications disguised as adult-themed versions of TikTok. These deceptive apps were used to deploy NGate and execute NFC relay attacks, demonstrating increasing sophistication in social engineering techniques.

Brazil in Focus: A Targeted Campaign Emerges

The latest NGate campaign represents a notable shift in geographic targeting, with a primary focus on users in Brazil. This marks the first known instance of the malware being tailored specifically for a South American audience.

Distribution methods rely heavily on deception. Attackers employ fake websites impersonating Rio de Prêmios, a lottery associated with the Rio de Janeiro state lottery organization, alongside fraudulent Google Play Store pages promoting a supposed card protection app. These channels are designed to mislead users into downloading a compromised version of HandyPay.

Infection Chain: How Victims Are Manipulated

The attack sequence relies on carefully orchestrated social engineering and user interaction:

• Victims are lured through a fake lottery website and prompted to initiate a WhatsApp message to claim winnings
• Users are redirected to download a trojanized version of HandyPay
• The application requests to be set as the default payment app upon installation
• Victims are instructed to enter their payment card PIN and tap their card on the device
• NFC data is captured and relayed in real time to an attacker-controlled device

Once executed, the attackers gain the ability to perform unauthorized ATM withdrawals and payment transactions using the stolen credentials.

Stealth and Strategy: Why HandyPay Was Chosen

The campaign, believed to have started around November 2025, demonstrates a deliberate shift in tooling. The malicious version of HandyPay has never been distributed through the official Google Play Store, confirming that attackers rely entirely on deceptive delivery techniques.
Several factors likely influenced the decision to weaponize HandyPay. Its lower subscription cost compared to other solutions, often exceeding $400 per month, makes it an economical choice for threat actors. Additionally, the application does not require special permissions, needing only to be set as the default payment app. This reduces suspicion and increases the likelihood of successful installation.

HandyPay has initiated an internal investigation in response to the abuse of its platform.

AI in Malware Development: A Growing Concern

Technical analysis of the malware has uncovered unusual elements, including the presence of emojis within debug and system messages. This anomaly suggests the possible involvement of large language models in generating or modifying the malicious code.

Although definitive attribution to AI remains unconfirmed, the findings align with a broader industry trend in which cybercriminals increasingly leverage generative artificial intelligence to streamline malware development. This lowers the barrier to entry, enabling individuals with limited technical expertise to create sophisticated threats.

Rising Threat Landscape: NFC Fraud on the Upswing

The emergence of this new NGate variant underscores a growing trend in NFC-based financial fraud. Rather than relying on established tools such as NFCGate or malware-as-a-service platforms, attackers are now repurposing legitimate applications with built-in NFC functionality.

This approach enhances both operational efficiency and evasion capabilities, signaling a concerning evolution in mobile threat tactics and reinforcing the need for heightened vigilance in mobile payment security.