The Rise of GenAI-Assisted NFC Relays: Analyzing the New NGate Malware Campaign

Cybersecurity researchers have identified a sophisticated new evolution in the NGate malware family. In this latest iteration, threat actors are weaponizing a trojanized version of HandyPay—a legitimate Android application designed to facilitate NFC (Near Field Communication) payment relaying. By injecting malicious payloads into a trusted utility, attackers are successfully harvesting sensitive credit card data and PINs to facilitate unauthorized ATM cash-outs and fraudulent contactless transactions.

What makes this campaign particularly alarming is the technical fingerprint left behind: the injected code shows distinct characteristics of being generated via Generative AI (GenAI). This shift suggests that the barrier to entry for conducting high-level financial fraud is lowering, allowing low-skilled actors to deploy complex, scalable malware campaigns.

HandyPay has been a staple on the Google Play Store since 2021, providing a service that allows users to relay NFC data between devices for seamless tap-to-pay functionality. The threat actors bypassed the security rigors of the official store by obtaining a clean APK, performing malicious code injection, and distributing the compromised build through third-party, untrusted channels.

Once a user installs the rogue APK, the application maintains a high degree of “social engineering stealth.” It mirrors the legitimate app’s behavior by requesting to be set as the default NFC payment provider and prompting the user to tap their physical card against the device. However, beneath this veneer of normalcy, the NGate payload intercepts the NFC transaction data and transparently relays it to an attacker-controlled device capable of emulating the victim’s card.

Critically, the malware is designed for stealth; it requests almost no additional system permissions beyond what the original HandyPay app requires, making the intrusion nearly invisible to the average user.

The GenAI Signature: Lowering the Barrier to Entry

During deep-dive forensic analysis, ESET researchers discovered log strings containing emojis within the patched package—a stylistic pattern highly characteristic of code or comments produced by large language models (LLMs) and GenAI coding assistants. While a definitive toolchain hasn’t been identified, the evidence suggests that AI was utilized to refactor or generate the exfiltration logic used to package PIN data and transmit it to a Command-and-Control (C&C) server via HTTP.

HandyPay monetization information from the official website (Source : ESET).
HandyPay monetization information from the official website (Source : ESET).

This trend highlights a growing reality in the threat landscape: GenAI is becoming a force multiplier for cybercriminals, enabling the rapid creation of functional, targeted Android malware without requiring deep expertise in low-level programming or network protocols.

The current campaign, which has been active since approximately November 2025, is heavily localized toward the Brazilian market. Analysis of the attackers’ C&C infrastructure revealed logs from multiple compromised devices, all geolocated in Brazil, containing a treasure trove of stolen PINs, IP addresses, and timestamps.

Deceptive Distribution Strategies

The attackers utilize two primary social engineering vectors to drive sideloading, both hosted on a single domain controlled by the threat group:

  • Fake Lottery Sites: A fraudulent “Rio de Prêmios” website uses a rigged digital scratch-card game. After users “win” a large sum (R$20,000), they are redirected to WhatsApp to “claim” their prize, where they are eventually sent the malicious HandyPay APK.
  • Spoofed Play Store Pages: An imitation Google Play web interface advertises a utility called “Proteção Cartão” (Card Protection). Users seeking security are instead tricked into sideloading the compromised payment app.
Geographical distribution of NGate attacks from January 2025 to February 2026 (Source : ESET).
Geographical distribution of NGate attacks from January 2025 to February 2026 (Source : ESET).

This evolution represents a tactical shift. Rather than relying on complex MaaS (Malware-as-a-Service) kits like NFCGate or NFU Pay, attackers are now leveraging the built-in functionality of existing, legitimate apps to perform the same relay attacks with much less technical overhead.

The Anatomy of a Fraudulent Transaction

The technical workflow of the theft is highly efficient. Once the user sideloads the APK and enables “Install from Unknown Sources,” the following sequence occurs:

  1. The app prompts the victim to enter their card PIN and perform an NFC tap within the UI.
  2. NFC Interception: NGate captures the full NFC transaction payload and transmits it to an operator’s device for real-time card emulation.
  3. PIN Exfiltration: The entered PIN is sent to a dedicated C&C endpoint via HTTP.

With this dual-stream of data—the live NFC payload and the corresponding PIN—attackers can execute high-value contactless purchases or perform rapid ATM cash-outs using emulated credentials, essentially “cloning” the card’s utility digitally.

Scratching symbols always results in winning R$20,000 (left), with the victim being invited to launch WhatsApp via a button saying “Redeem my prize now” (Source : ESET).
Scratching symbols always results in winning R$20,000 (left), with the victim being invited to launch WhatsApp via a button saying “Redeem my prize now” (Source : ESET).

Mitigation Note: While Google Play Protect offers a layer of defense against known NGate variants, the primary line of defense remains user behavior. Users must strictly avoid sideloading APKs from untrusted links and should only download financial or payment utilities directly from the official Google Play Store.

Indicators of Compromise (IOCs)

SHA-1 Hash Filename Detection Name Description
48A0DE6A43FC6E49318AD6873EA63FE325200DBC PROTECAO_CARTAO.apk Android/Spy.NGate.CC Android NGate malware payload.
A4F793539480677241EF312150E9C02E324C0AA2 PROTECAO_CARTAO.apk Android/Spy.NGate.CB Android NGate malware payload.
94AF94CA818697E1D99123F69965B11EAD9F010C Rio_de_Prêmios_Pagamento.apk Android/Spy.NGate.CB Android NGate malware payload.

Related Articles

Back to top button