The Rise of GenAI-Assisted NFC Relays: Analyzing the New NGate Malware Campaign
Cybersecurity researchers have identified a sophisticated new evolution in the NGate malware family. In this latest iteration, threat actors are weaponizing a trojanized version of HandyPay—a legitimate Android application designed to facilitate NFC (Near Field Communication) payment relaying. By injecting malicious payloads into a trusted utility, attackers are successfully harvesting sensitive credit card data and PINs to facilitate unauthorized ATM cash-outs and fraudulent contactless transactions.
What makes this campaign particularly alarming is the technical fingerprint left behind: the injected code shows distinct characteristics of being generated via Generative AI (GenAI). This shift suggests that the barrier to entry for conducting high-level financial fraud is lowering, allowing low-skilled actors to deploy complex, scalable malware campaigns.
HandyPay has been a staple on the Google Play Store since 2021, providing a service that allows users to relay NFC data between devices for seamless tap-to-pay functionality. The threat actors bypassed the security rigors of the official store by obtaining a clean APK, performing malicious code injection, and distributing the compromised build through third-party, untrusted channels.
Once a user installs the rogue APK, the application maintains a high degree of “social engineering stealth.” It mirrors the legitimate app’s behavior by requesting to be set as the default NFC payment provider and prompting the user to tap their physical card against the device. However, beneath this veneer of normalcy, the NGate payload intercepts the NFC transaction data and transparently relays it to an attacker-controlled device capable of emulating the victim’s card.
Critically, the malware is designed for stealth; it requests almost no additional system permissions beyond what the original HandyPay app requires, making the intrusion nearly invisible to the average user.
The GenAI Signature: Lowering the Barrier to Entry
During deep-dive forensic analysis, ESET researchers discovered log strings containing emojis within the patched package—a stylistic pattern highly characteristic of code or comments produced by large language models (LLMs) and GenAI coding assistants. While a definitive toolchain hasn’t been identified, the evidence suggests that AI was utilized to refactor or generate the exfiltration logic used to package PIN data and transmit it to a Command-and-Control (C&C) server via HTTP.

This trend highlights a growing reality in the threat landscape: GenAI is becoming a force multiplier for cybercriminals, enabling the rapid creation of functional, targeted Android malware without requiring deep expertise in low-level programming or network protocols.
The current campaign, which has been active since approximately November 2025, is heavily localized toward the Brazilian market. Analysis of the attackers’ C&C infrastructure revealed logs from multiple compromised devices, all geolocated in Brazil, containing a treasure trove of stolen PINs, IP addresses, and timestamps.
Deceptive Distribution Strategies
The attackers utilize two primary social engineering vectors to drive sideloading, both hosted on a single domain controlled by the threat group:
- Fake Lottery Sites: A fraudulent “Rio de Prêmios” website uses a rigged digital scratch-card game. After users “win” a large sum (R$20,000), they are redirected to WhatsApp to “claim” their prize, where they are eventually sent the malicious HandyPay APK.
- Spoofed Play Store Pages: An imitation Google Play web interface advertises a utility called “Proteção Cartão” (Card Protection). Users seeking security are instead tricked into sideloading the compromised payment app.

This evolution represents a tactical shift. Rather than relying on complex MaaS (Malware-as-a-Service) kits like NFCGate or NFU Pay, attackers are now leveraging the built-in functionality of existing, legitimate apps to perform the same relay attacks with much less technical overhead.
The Anatomy of a Fraudulent Transaction
The technical workflow of the theft is highly efficient. Once the user sideloads the APK and enables “Install from Unknown Sources,” the following sequence occurs:
- The app prompts the victim to enter their card PIN and perform an NFC tap within the UI.
- NFC Interception: NGate captures the full NFC transaction payload and transmits it to an operator’s device for real-time card emulation.
- PIN Exfiltration: The entered PIN is sent to a dedicated C&C endpoint via HTTP.
With this dual-stream of data—the live NFC payload and the corresponding PIN—attackers can execute high-value contactless purchases or perform rapid ATM cash-outs using emulated credentials, essentially “cloning” the card’s utility digitally.

Mitigation Note: While Google Play Protect offers a layer of defense against known NGate variants, the primary line of defense remains user behavior. Users must strictly avoid sideloading APKs from untrusted links and should only download financial or payment utilities directly from the official Google Play Store.
Indicators of Compromise (IOCs)
| SHA-1 Hash | Filename | Detection Name | Description |
| 48A0DE6A43FC6E49318AD6873EA63FE325200DBC | PROTECAO_CARTAO.apk | Android/Spy.NGate.CC | Android NGate malware payload. |
| A4F793539480677241EF312150E9C02E324C0AA2 | PROTECAO_CARTAO.apk | Android/Spy.NGate.CB | Android NGate malware payload. |
| 94AF94CA818697E1D99123F69965B11EAD9F010C | Rio_de_Prêmios_Pagamento.apk | Android/Spy.NGate.CB | Android NGate malware payload. |