惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Google Online Security Blog
Google Online Security Blog
S
Security @ Cisco Blogs
Recent Commits to openclaw:main
Recent Commits to openclaw:main
人人都是产品经理
人人都是产品经理
The Hacker News
The Hacker News
W
WeLiveSecurity
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
The Cloudflare Blog
博客园 - 司徒正美
雷峰网
雷峰网
L
LINUX DO - 最新话题
博客园 - 叶小钗
云风的 BLOG
云风的 BLOG
The Last Watchdog
The Last Watchdog
V2EX - 技术
V2EX - 技术
S
Security Affairs
有赞技术团队
有赞技术团队
月光博客
月光博客
T
Threatpost
T
Tor Project blog
O
OpenAI News
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
V
V2EX
Know Your Adversary
Know Your Adversary
Project Zero
Project Zero
博客园 - 三生石上(FineUI控件)
D
Docker
AWS News Blog
AWS News Blog
AI
AI
P
Proofpoint News Feed
K
Kaspersky official blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
D
Darknet – Hacking Tools, Hacker News & Cyber Security
www.infosecurity-magazine.com
www.infosecurity-magazine.com
S
Securelist
F
Fortinet All Blogs
F
Full Disclosure
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
量子位
Hacker News - Newest:
Hacker News - Newest: "LLM"
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
P
Palo Alto Networks Blog
Cyberwarzone
Cyberwarzone
Cisco Talos Blog
Cisco Talos Blog
美团技术团队
N
News | PayPal Newsroom
T
The Blog of Author Tim Ferriss
MyScale Blog
MyScale Blog

WeLiveSecurity

Recovery scammers hit you when you’re down: Here’s how to avoid a ‘second strike’ As breakout time accelerates, prevention-first cybersecurity takes center stage Digital assets after death: Managing risks to your loved one’s digital estate This month in security with Tony Anscombe – March 2026 edition RSAC 2026 wrap-up – Week in security with Tony Anscombe A cunning predator: How Silver Fox preys on Japanese firms this tax season Virtual machines, virtually everywhere – but not all protected Cloud workload security: Mind the gaps Move fast and save things: A quick guide to recovering a hacked account EDR killers explained: Beyond the drivers Face value: What it takes to fool facial recognition Cyber fallout from the Iran war: What to have on your radar Sednit reloaded: Back in the trenches What cybersecurity actually does for your business How SMBs use threat research and MDR to build a defensive edge Protecting education: How MDR can tip the balance in favor of schools This month in security with Tony Anscombe – February 2026 edition Mobile app permissions (still) matter more than you may think Faking it on the phone: How to tell if a voice call is AI or not PromptSpy ushers in the era of Android threats using GenAI Is Poshmark safe? How to buy and sell without getting scammed Is it OK to let your children post selfies online? Naming and shaming: How ransomware groups tighten the screws on victims Taxing times: Top IRS scams to look out for in 2026 OfferUp scammers are out in force: Here’s what you should know A slippery slope: Beware of Winter Olympics scams and other cyberthreats This month in security with Tony Anscombe – January 2026 edition DynoWiper update: Technical analysis and attribution Love? Actually: Fake dating app used as lure in targeted spyware campaign in Pakistan Drowning in spam or scam emails lately? Here’s why ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025 Children and chatbots: What parents should know Common Apple Pay scams, and how to stay safe Old habits die hard: 2025’s most common passwords were as predictable as ever Why LinkedIn is a hunting ground for threat actors – and how to protect yourself Is it time for internet services to adopt identity verification? Your information is on the dark web. What happens next? Credential stuffing: What it is and how to protect yourself This month in security with Tony Anscombe – December 2025 edition A brush with online fraud: What are brushing scams and how do I stay safe? Revisiting CVE‑2025‑50165: A critical flaw in Windows Imaging Component LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan ESET Threat Report H2 2025 Black Hat Europe 2025: Was that device designed to be on the internet at all? Black Hat Europe 2025: Reputation is currency – even in the ransomware economy Locks, SOCs and a cat in a box: What Schrödinger can teach us about cybersecurity Seeking symmetry during ATT&CK® season: How to harness today’s diverse analyst and tester landscape to paint a security masterpiece The biggest catch: How whaling attacks target top executives Phishing, privileges and passwords: Why identity is critical to improving cybersecurity posture MuddyWater: Snakes by the riverbank Oversharing is not caring: What’s at stake if your employees post too much online This month in security with Tony Anscombe – November 2025 edition What parents should know to protect their children from doxxing Influencers in the crosshairs: How cybercriminals are targeting content creators MDR is the answer – now, what’s the question? The OSINT playbook: Find your weak spots before attackers do PlushDaemon compromises network devices for adversary-in-the-middle attacks What if your romantic AI chatbot can’t keep a secret? Can password managers get hacked? Here’s what to know Why shadow AI could be your biggest security blind spot In memoriam: David Harley The who, where, and how of APT attacks in Q2 2025–Q3 2025 ESET APT Activity Report Q2 2025–Q3 2025 Sharing is scaring: The WhatsApp screen-sharing scam you didn’t see coming How social engineering really works | Unlocked 403 cybersecurity podcast (S2E6) Ground zero: 5 things to do after discovering a cyberattack This month in security with Tony Anscombe – October 2025 edition Fraud prevention: How to help older family members avoid scams Cybersecurity Awareness Month 2025: When seeing isn't believing Recruitment red flags: Can you spot a spy posing as a job seeker? How MDR can give MSPs the edge in a competitive market Cybersecurity Awareness Month 2025: Cyber risk thrives in the shadows Gotta fly: Lazarus targets the UAV sector SnakeStealer: How it preys on personal data – and how to stay safe Cybersecurity Awareness Month 2025: Building resilience against ransomware Minecraft mods: When ‘hacking’ your game becomes a security risk IT service desks: The security blind spot that may put your business at risk Cybersecurity Awareness Month 2025: Why software patching matters more than ever AI-aided malvertising: How chatbots can help spread scams How Uber seems to know where you are – even with restricted location permissions Cybersecurity Awareness Month 2025: Passwords alone are not enough The case for cybersecurity: Why successful businesses are built on protection Beware of threats lurking in booby-trapped PDF files Manufacturing under fire: Strengthening cyber-defenses amid surging threats New spyware campaigns target privacy-conscious Android users in the UAE Cybersecurity Awareness Month 2025: Knowledge is power This month in security with Tony Anscombe – September 2025 edition Roblox executors: It’s all fun and games until someone gets hacked DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception Watch out for SVG files booby-trapped with malware Gamaredon X Turla collab Small business, big risk: How SMBs can fight back against ransomware HybridPetya: A Petya/NotPetya copycat comes with a twist Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass Are cybercriminals hacking your systems – or just logging in? Preventing business disruption and building cyber-resilience with MDR Under lock and key: Safeguarding business data with encryption GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes This month in security with Tony Anscombe – August 2025 edition Don’t let “back to school” become “back to bullying”
New NGate variant hides in a trojanized NFC payment app
Lukas Stefanko · 2026-04-21 · via WeLiveSecurity

ESET Research has discovered a new variant of the NGate malware family that abuses a legitimate Android application called HandyPay, instead of the previously leveraged NFCGate tool. The threat actors took the app, which is used to relay NFC data, and patched it with malicious code that appears to have been AI-generated. As with previous iterations of NGate, the malicious code allows the attackers to transfer NFC data from the victim’s payment card to their own device and use it for contactless ATM cash-outs and unauthorized payments. Additionally, the code can also capture the victim’s payment card PIN and exfiltrate it to the operators’ C&C server.

Key points of this blogpost:

  • ESET researchers discovered a new NGate malware variant abusing the legitimate Android HandyPay application.
  • To trojanize HandyPay, threat actors most probably used GenAI, indicated by emoji left in the logs that are typical of AI-generated text.
  • The campaign has been ongoing since November 2025 and targets Android users in Brazil.
  • Apart from relaying NFC data, the malicious code also steals payment card PINs.
  • We saw two NGate samples being distributed in the attacks: one via a fake lottery website, the other through a fake Google Play website. Both sites were hosted on the same domain, strongly implying a single threat actor.

The attacks target users in Brazil, with the trojanized app being distributed mainly through a website impersonating a Brazilian lottery, Rio de Prêmios, as well as via a fake Google Play page for a supposed card protection app. This is not the first NGate campaign to take aim at Brazil: as we described in our H2 2025 Threat Report, NFC‑based attacks are expanding into new regions (see Figure 1) while leveraging more sophisticated tactics and techniques, with Brazil in particular being targeted by a variant of NGate called PhantomCard. Attackers are experimenting with fresh social engineering approaches and increasingly combining NFC abuse with banking trojan capabilities.

Figure 1. Geographical distribution of NGate attacks from January 2025 to February 2026
Figure 1. Geographical distribution of NGate attacks from January 2025 to February 2026

We believe that the campaign distributing trojanized HandyPay began around November 2025 and remains active at the time of writing this blogpost. It should also be noted that the maliciously patched version of HandyPay has never been available on the official Google Play store. As an App Defense Alliance partner, we shared our findings with Google. Android users are automatically protected against known versions of this malware by Google Play Protect, which is enabled by default on Android devices with Google Play services.

We also reached out to the HandyPay developer to alert them about the malicious use of their application. After establishing communication, they confirmed that they are conducting an internal investigation on their side.

HandyPay abuse

As the number of NFC threats keeps rising, so is the ecosystem supporting them becoming more robust. The first NGate attacks employed the open-source NFCGate tool to facilitate the transfer of NFC data. Since then, several malware-as-a-service (MaaS) offerings with similar functionality, such as NFU Pay and TX‑NFC, have become available for purchase. These kits are actively marketed to affiliates on Telegram (one such advertisement is depicted in Figure 2). For example, the aforementioned PhantomCard attacks that also targeted Brazil employed NFU Pay to facilitate data transfer. In the case of the campaign described in this blogpost, however, the threat actors decided to go with their own solution and maliciously patched an existing app – HandyPay.

Figure 2. NFU Pay MaaS advertised on a Telegram channel
Figure 2. NFU Pay MaaS advertised on a Telegram channel

HandyPay (official website) is an Android app that has been available on Google Play since 2021. It enables relaying NFC data from one device to another, which can be used to share a card with a family member, allow one’s child to make a one-time purchase, etc. The data is first read on the cardholder’s device and then shared with a linked device. After the users link their accounts by email, the cardholder scans their payment card via NFC, upon which the encrypted data is transferred over the internet to the paired device. That device can then execute tap-to-pay actions using the original cardholder’s card. For the process to work, the users need to set HandyPay as the default payment app and sign in with Google or an email-based token.

As per the developer’s website, the app includes a degree of monetization (see Figure 3): using the app as a reader is free (“Guest access”), but to emulate the card on a paired device (“User access”), you supposedly need to subscribe for €9.99 per month. The site, however, frames this fee as a donation and the payment is not mentioned on the official Google Play store page.

Figure 3. HandyPay monetization information from the official website
Figure 3. HandyPay monetization information from the official website

Why did the operators of this campaign decide to trojanize the HandyPay app instead of going with an established solution for relaying NFC data? The answer is simple: money. The subscription fees for existing MaaS kits run in the hundreds of dollars: NFU Pay advertises its product for almost US$400 per month, while TX-NFC goes for around US$500 per month. HandyPay, on the other hand, is significantly cheaper, only asking for the €9.99 per month donation, if even that. In addition to the price, HandyPay natively does not require any permissions, only to be made the default payment app, helping the threat actors avoid raising suspicion.

As we already alluded to in the introduction, the malicious code used to trojanize HandyPay shows signs of having been produced with the help of GenAI tools. Specifically, the malware logs contain emoji typical of AI-generated text (see the code snippet in Figure 4), suggesting that LLMs were involved in generating or modifying the code, although definitive proof remains elusive. This fits a broader trend in which GenAI lowers the barrier to entry for cybercriminals, enabling threat actors with limited technical skill to produce workable malware.

Figure 4. Malicious code snippet, most probably generated by AI
Figure 4. Malicious code snippet, most probably generated by AI, responsible for exfiltration of payment card PIN to C&C server

Analysis of the campaign

Targeting

Based on the distribution vectors and the language version of the trojanized app, the campaign targets Android users in Brazil. While analyzing the attackers’ C&C server, we also found logs from four compromised devices, all geolocated in Brazil. The data contained captured PIN codes, IP addresses, and timestamps associated with the attacks.

Initial access

As part of the campaign, we observed two NGate samples. Although they are distributed separately, they are hosted on the same domain and use the same HandyPay app, indicating a coordinated operation conducted by the same malicious threat actors. The distribution flow of both samples is depicted in Figure 5.

Figure 5. Campaign distribution flow
Figure 5. Campaign distribution flow

The first NGate sample is distributed through a website that impersonates Rio de Prêmios, a lottery run by the Rio de Janeiro state lottery organization (Loterj). The site shows a scratch card game where the user is supposed to reveal three matching symbols, with the outcome rigged so that the user always “wins” R$20,000 (see Figure 6). In order to claim the prize, the user is asked to tap a button that opens the legitimate WhatsApp with a prefilled message addressed to a predefined WhatsApp number, as shown in Figure 7. To increase credibility, the associated WhatsApp account uses a profile image that impersonates Caixa Econômica Federal, Brazil’s government-owned bank that manages the majority of lotteries in the country.

Figure 6. Scratching symbols always results in winning R$20,000
Figure 6. Scratching symbols always results in winning R$20,000 (left), with the victim being invited to launch WhatsApp via a button saying “Redeem my prize now” (machine translated) to claim their prize (right)
Figure 7. Draft message with option to send to a preselected WhatsApp contact
Figure 7. Draft message with option to send to a preselected WhatsApp contact

This is likely where the victim is directed to the patched HandyPay app masquerading as the Rio de Prêmios app, which is hosted on the same server as the fake lottery website. During testing, we didn’t receive a reply from the attacker’s WhatsApp account, but we attribute that to not using a Brazilian phone number.

The second NGate sample is distributed via a fake Google Play web page as an app named Proteção Cartão (machine translation: Card Protection). The screenshots in Figure 8 show that victims have to manually download and install the app, compromising their devices with trojanized HandyPay in the process. We saw malicious apps with similar names being used in an October 2025 campaign targeting Brazil that deployed the PhantomCard variant of NGate.

Figure 8. Users have to manually download and install the malicious Proteção Cartão app
Figure 8. Users have to manually download and install the malicious Proteção Cartão app

Execution flow

An overview of the operational flow of the trojanized HandyPay app is shown in Figure 9.

Figure 9. Trojanized HandyPay operational flow
Figure 9. Trojanized HandyPay operational flow

First, the victim needs to manually install a trojanized version of HandyPay, since the app is only available outside Google Play. When a user taps the download app button in their browser, Android automatically blocks the install and shows a prompt asking them to allow installation from this source. The user simply needs to tap Settings in that prompt, enable “Allow from this source”, return to the download screen, and continue installing the app. Once installed, the app asks to be set as the default payment app, which can be seen in Figure 10. This functionality is not malicious, as it is part of the official HandyPay app. The actual malware injected in the code doesn’t need this setting to be enabled on the victim’s phone to relay NFC data; only the device receiving the data, i.e., the operator device, needs this setting enabled. No further permissions are required (see Figure 11), helping the malicious app stay under the radar.

Figure 10. Initial request to set the app as the default NFC payment app
Figure 10. Initial request to set the app as the default NFC payment app
Figure 11. HandyPay doesn’t require any permissions
Figure 11. HandyPay doesn’t require any permissions

The victim is then asked to enter their payment card PIN into the app, and tap their card on the back of the smartphone with NFC enabled. The malware abuses the HandyPay service to forward NFC card data to an attacker-controlled device, enabling the threat actor to use the victim’s payment card data to withdraw cash from ATMs. The operator’s device is linked to an email address hardcoded within the malicious app, ensuring that all captured NFC traffic is routed exclusively to the attacker. We have observed two different attacker email addresses being used in the analyzed samples. On top of the standard batch of data that is transferred in the NFC relay, the victim’s payment card PIN is exfiltrated separately to a dedicated C&C server over HTTP (see Figure 12), not relying on HandyPay infrastructure. The C&C endpoint for PIN harvesting also functions as the distribution server, centralizing both delivery and data-collection operations.

Figure 12. Example of PIN exfiltration to the C&C server over HTTP
Figure 12. Example of PIN exfiltration to the C&C server over HTTP

Conclusion

With the appearance of yet another NGate campaign on the scene, it can be plainly seen that NFC fraud is on the rise. This time, instead of using an established solution such as NFCGate or a MaaS on offer, the threat actors decided to trojanize HandyPay, an application with existing NFC relay functionality. The high likelihood that GenAI was used to help with the creation of the malicious code demonstrates how cybercrooks can do harm by abusing LLMs even without the need for technical expertise.

For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com. 

ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.

IoCs

A comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository

Files

SHA-1 Filename Detection Description
48A0DE6A43FC6E49318AD6873EA63FE325200DBC PROTECAO_CARTAO.apk Android/Spy.NGate.CC Android NGate malware.
A4F793539480677241EF312150E9C02E324C0AA2 PROTECAO_CARTAO.apk Android/Spy.NGate.CB Android NGate malware.
94AF94CA818697E1D99123F69965B11EAD9F010C Rio_de_Prêmios_Pagamento.apk Android/Spy.NGate.CB Android NGate malware.

Network

IP Domain Hosting provider First seen Details
104.21.91[.]170 protecaocartao[.]online Cloudflare, Inc. 2025‑11‑08 NGate distribution website.
108.165.230[.]223 N/A KAUA REIS DA SILVA
trading as BattleHost
2025‑11‑09 NGate C&C server.

MITRE ATT&CK techniques

This table was built using version 18 of the MITRE ATT&CK framework.

Tactic ID Name Description
Initial Access T1660 Phishing NGate has been distributed using dedicated websites.
Credential Access T1417.002 Input Capture: GUI Input Capture NGate tries to obtain victims’ PIN codes via a patched text box.
Exfiltration T1646 Exfiltration Over C2 Channel NGate exfiltrates victims’ PINs over HTTP.