Trojanized Android App Fuels New Wave of NFC Fraud: How NGate Malware Steals Payment Data

A fresh variant of the NGate malware family has been uncovered, this time hiding inside a trojanized version of a legitimate Android app. Security researchers at ESET have identified a new campaign that exploits a modified near-field communication (NFC) relay application called HandyPay to intercept payment card data and personal identification numbers (PINs). This marks a significant evolution in NGate malware NFC fraud, moving beyond open-source tools to a more sophisticated, stealthy approach.

How the NGate Malware Campaign Works

According to ESET’s findings, the malicious version of HandyPay has been circulating since November 2025, primarily targeting users in Brazil. Victims are lured through phishing websites that impersonate a Brazilian lottery site or a fake Google Play listing for a card protection tool. Once a user visits these fraudulent pages, they are instructed to manually install the app—bypassing the official Google Play Store.

Because the app is not available on the official store, Android prompts users to allow installations from unknown sources. This social engineering tactic is crucial for the attack to succeed. After installation, the trojanized app requests minimal permissions, relying instead on its ability to become the default payment application on the device. This design helps it avoid detection while maintaining full functionality.

NFC Data Relay and PIN Capture

The malware performs two key actions: it captures NFC data from any payment card tapped on the infected device, and it prompts the victim to enter their card’s PIN. Both pieces of information are then transmitted to attacker-controlled infrastructure. This allows fraudsters to relay the NFC data to their own devices, enabling them to make fraudulent contactless transactions or even withdraw cash from ATMs.

This technique is far more dangerous than simple card skimming. By combining the NFC relay with the PIN, attackers can bypass typical security measures for contactless payments. The campaign demonstrates a clear shift from earlier NGate variants, which relied on open-source tools like NFCGate, to a more targeted approach using a trojanized legitimate app.

AI-Assisted Code Generation Suspected

Interestingly, ESET researchers found evidence suggesting that parts of the malicious code may have been generated using generative AI tools. Debug logs within the malware contained emoji markers, a pattern often associated with AI-assisted code generation. While not definitive proof, this aligns with a broader trend of threat actors using large language models (LLMs) to accelerate malware development.

Building on this, the use of AI could make it easier for less technically skilled criminals to create sophisticated malware. This particular campaign, however, still required significant effort in setting up phishing infrastructure and modifying the HandyPay app. The combination of AI-generated code and social engineering makes this NGate malware NFC fraud campaign particularly concerning.

Protecting Against NFC-Based Fraud

Google has been notified of the campaign, and Google Play Protect now detects known versions of the malware. Additionally, the developer of HandyPay has been allegedly contacted and is investigating the misuse of their application. However, users remain the first line of defense.

To protect against this type of Android NFC malware, always download apps from the official Google Play Store. Be wary of any website that instructs you to install an app manually, especially if it claims to offer security or financial services. Furthermore, avoid tapping your payment card on unknown devices, and regularly check your bank statements for unauthorized transactions.

For more insights on mobile banking threats, read our article on APK Malformation Found in Thousands of Android Malware Samples. Additionally, learn about the latest phishing techniques in our guide on How to Spot Phishing Attacks.

The Future of NFC Relay Attacks

This campaign signals a worrying trend. Attackers are moving away from generic malware kits and instead modifying legitimate apps to serve their purposes. The use of a trojanized HandyPay app allows for stealthier operations, as the app’s core functionality—NFC relay—is itself legitimate. As a result, users and security solutions may find it harder to distinguish between a benign app and a malicious one.

Therefore, the financial sector and Android users, particularly in regions like Brazil, must stay vigilant. The combination of NFC relay, PIN capture, and potential AI-assisted development means that NGate malware NFC fraud could become a template for future attacks worldwide.