A new variant of the NGate malware family has been identified, using a trojanized Android application to capture payment card data and PINs. According to ESET, the campaign has replaced earlier tooling with a modified version of HandyPay, a legitimate near-field communication (NFC) relay app, to intercept and reuse sensitive financial data. The malicious HandyPay version has been distributed since November 2025 and primarily targets users in Brazil.
Once installed, the app relays NFC payment card data from victims to attacker-controlled devices, enabling fraudulent contactless transactions and ATM withdrawals. Researchers observed two separate malware samples delivered through phishing infrastructure hosted on the same domain, with one impersonating a Brazilian lottery site and the other mimicking a Google Play listing for a card protection tool.
Google Play Protect detects known versions of the malware, said Google, while the HandyPay developer has reportedly been notified and is investigating the misuse of its application.