New Variant of NGate Malware Abuses Legitimate App to Harvest Payment Card Data
TL;DR
ESET Research has identified a new variant of the NGate malware that exploits the HandyPay app to facilitate NFC data theft. This campaign primarily targets Android users in Brazil by misusing the application’s functionality and generating malicious code with potential AI involvement.
Main Analysis
ESET Research reports a significant evolution in the NGate malware landscape, highlighting a new variant that seamlessly integrates with the HandyPay application designed for relaying NFC data. This variant leverages maliciously patched versions of HandyPay, which had not been distributed via the official Google Play Store but instead through counterfeit sites impersonating a Brazilian lottery and a fake Google Play page. The new malware functionalities include stealing payment card details and exfiltrating PINs to the operator’s command and control server. The transition from earlier NGate variants shows a shift toward utilizing legitimate applications for nefarious purposes, enhancing the malware’s ability to evade detection.
The targeted demographic for this campaign is primarily Android users in Brazil. ESET’s investigation revealed that attackers utilized distinct distribution methods—one through a fake lottery site that promises fraudulent winnings and the other via a false Google Play page offering “protection” for payment cards. This dual approach indicates a coordinated effort, suggesting that the same threat actor is behind both schemes. The campaign has reportedly been active since late November 2025, inducing a growing concern over NFC fraud in the region.
The use of AI in the generation of the malware code is particularly notable. ESET suggests the presence of GenAI tools due to unique markers noted within the logs, which could imply a reduction in the technological barrier for cybercriminals. This advancement points to a broader trend where lower expertise is required to develop functional malware, intensifying the threat landscape.
Defensive Context
Organizations and individuals using Android devices, particularly in Brazil, should be aware of this evolving threat landscape. This malware operates by exploiting the functionalities of the HandyPay application, requiring users to manually install a trojanized version outside of official channels, which emphasizes the need for vigilance when downloading apps and sharing personal information.
Why This Matters
The sophistication of this campaign points to a heightened risk for Android users in Brazil, especially those who engage in contactless payment methods. The exploitation of legitimate apps enhances the credibility of this threat, making it difficult for users to easily identify malicious activity. Consequently, individuals who frequently utilize NFC technology or online payment services may find themselves at increased risk.
Indicators of Compromise (IOCs)
- Domains: protecaocartao.online
- IP Addresses: 104.21.91.170 (NGate distribution website), 108.165.230.223 (C&C server)
- File Hashes:
- SHA-1: 48A0DE6A43FC6E49318AD6873EA63FE325200DBC (PROTECAO_CARTAO.apk)
- SHA-1: A4F793539480677241EF312150E9C02E324C0AA2 (PROTECAO_CARTAO.apk)
- SHA-1: 94AF94CA818697E1D99123F69965B11EAD9F010C (Rio_de_Prêmios_Pagamento.apk)
This information underscores the critical need for heightened awareness and scrutiny of app sources to mitigate against the expanding reach of such threats.
