NGATE , also known as NFSkate, has been repurposed to Trojanise the HandyPay Android app, a move aimed at siphoning NFC data and PINs from victims in Brazil. The malware transfers NFC card data to an attacker-controlled device for unauthorised payments and cash withdrawals, while also capturing the victim’s card PIN and exfiltrating it to the attackers’ C2 server.
The latest variant, described as AI-generated in its malicious code, is spread via websites posing as Rio de Prêmios, the Rio de Janeiro state lottery, and through a Google Play Store listing for a fake card protection app; the campaign is reported to have begun around November 2025 and targets Brazil specifically for the first time. The fake HandyPay trojan does not appear on the Google Play Store, with HandyPay launching an internal investigation after discovery.
According to ESET security researcher Lukáš Štefanko, the threat actors used a trojanised HandyPay to bypass expectations of NFCGate and other MaaS options, emphasising how NFC fraud is on the rise.