NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs
NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs
https://thehackernews.com/2026/04/ngate-campaign-targets-brazil.html
Publish Date: 2026-04-21 06:40:00
Source Domain: thehackernews.com
Cybersecurity researchers have discovered a new iteration of an Android malware family called NGate that has been found to abuse a legitimate application called HandyPay instead of NFCGate.
“The threat actors took the app, which is used to relay NFC data, and patched it with malicious code that appears to have been AI-generated,” ESET security researcher Lukáš Štefanko said in a report shared with The Hacker News. “As with previous iterations of NGate, the malicious code allows the attackers to transfer NFC data from the victim’s payment card to their own device and use it for contactless ATM cash-outs and unauthorized payments.”
In addition, the malicious payload is capable of capturing the victim’s payment card PIN and exfiltrating it to the threat actor’s command-and-control (C2) server.
NGate, also known as NFSkate, was first publicly documented by the Slovakian cybersecurity vendor in August 2024, detailing its ability to carry out relay attacks to siphon victims’ contactless payment data with an aim to conduct fraudulent transactions.
A year later, Dutch mobile security company ThreatFabric detailed a threat codenamed RatOn that used dropper apps impersonating adult-friendly versions of TikTok to deploy NGate to carry out NFC relay attacks.
The latest version of NGate detected by ESET has primarily targeted users in Brazil, marking the first such campaign to single out the South American nation. The trojanized HandyPay application is distributed via websites masquerading as Rio de Prêmios, a lottery run by the Rio de Janeiro state lottery organization, and a Google Play Store listing page for a purported card protection app.
The fake lottery website seeks to convince a user to tap a button to send a WhatsApp message to claim the prize money, at which point they are directed to likely download the poisoned version of the HandyPay app. Regardless of the method used, the app…
