NGate NFC Malware Hijacks Android Payment Apps in Brazil, Targeting Millions via Trojanized HandyPay
What Happened – A new variant of the NGate malware family has been embedded in a trojanized version of the legitimate HandyPay NFC‑relay app on Google Play. Since November 2025 the campaign has been delivering the malicious APK to Android users in Brazil through a fake lottery website and a WhatsApp lure, enabling attackers to intercept NFC‑based payment data.
Why It Matters for TPRM –
- Payment‑app vendors and fintech services face direct credential and transaction theft risk.
- Mobile app stores and third‑party distributors can become inadvertent conduits for malicious code.
- The use of AI‑generated code lowers the barrier for sophisticated malware creation, expanding the threat landscape for all app‑based payment solutions.
Who Is Affected – Financial services (digital wallets, banks, payment processors), mobile app marketplaces, and any organization that integrates Android NFC payment functionality.
Recommended Actions –
- Conduct a rapid inventory of all third‑party Android payment apps used by your organization.
- Enforce strict vetting of app signatures, permissions, and provenance before deployment.
- Monitor Google Play for unauthorized versions of known payment apps and implement mobile threat detection solutions.
- Review incident‑response playbooks for NFC‑based fraud and update user‑awareness training to flag suspicious lottery or prize‑win prompts.
Technical Notes – The malware is delivered via a trojanized HandyPay APK (no special permissions required beyond being set as the default payment app). Distribution vectors include a spoofed lottery site (Rio de Prêmios) and a WhatsApp message that redirects victims to download the malicious APK. ESET researchers observed emoji‑laden log strings indicative of large‑language‑model‑assisted code generation. No CVE is directly exploited; the attack relies on social engineering and the inherent trust in a legitimate app’s NFC capabilities. Source: Help Net Security