NGate Returns: Trojanized HandyPay App Weaponizes NFC Relay Attacks Against Brazilian Banking Users

Original research credit: ESET / The Hacker News. CypherByte analysis builds upon and extends the published findings of ESET security researcher Lukáš Štefanko.

Executive Summary

A newly identified campaign targeting Android users in Brazil represents a significant tactical evolution in mobile financial fraud. Researchers at ESET have uncovered a fresh iteration of the NGate malware family — a threat lineage previously documented for its abuse of the open-source NFCGate tool — that has pivoted to trojanizing HandyPay, a legitimate NFC data relay application. By patching HandyPay with malicious code and redistributing it through social engineering channels, threat actors are silently capturing contactless payment card data and harvesting banking PINs from victims in real time. This is not a theoretical attack surface; it is active, targeted, and financially motivated.

Security teams responsible for mobile device management, financial institutions operating in or servicing Latin American markets, and Android endpoint defenders should treat this campaign as an immediate operational concern. The combination of NFC relay capability with AI-assisted code injection signals a maturing threat actor toolkit — one that lowers the technical barrier for executing sophisticated proximity payment fraud at scale. This analysis examines the mechanics of the attack, its real-world implications, and actionable defensive guidance for security practitioners.

Technical Analysis

The NGate malware family has historically distinguished itself by abusing NFC relay functionality — specifically the ability to intercept, relay, and replay Near Field Communication (NFC) data from a victim's physical payment card to an attacker-controlled device. Previous NGate campaigns, documented across Central European targets, leveraged the legitimate NFCGate open-source framework to accomplish this. The Brazilian campaign marks a deliberate retooling: threat actors identified HandyPay, a legitimate application designed for NFC data relay operations, and surgically patched it with malicious functionality before redistribution.

The attack chain follows a well-structured sequence. Victims are first socially engineered — likely through phishing SMS (smishing), fraudulent banking notifications, or malicious ad networks — into downloading the trojanized HandyPay APK from outside the Google Play Store. Once installed, the application presents a fully functional NFC relay interface, maintaining its cover as a legitimate utility. Beneath this facade, the malicious payload performs two concurrent operations: it silently relays NFC card data from the victim's device to an attacker-controlled relay server or directly to a second Android device in the threat actor's possession, and it captures PIN entry through overlay or accessibility service abuse when the victim interacts with banking or payment interfaces.

The NFC relay component is particularly dangerous because it does not require the physical card to leave the victim's possession. When a victim places their contactless debit or credit card near their compromised Android device — or simply carries a card in proximity — the malware captures the card's radio frequency data and tunnels it over a network connection to the attacker. The attacker, using a second Android device running a companion relay client, can then emulate the victim's card at any point-of-sale terminal or ATM that accepts contactless payments. Combined with a harvested PIN, this enables full card-present transaction fraud without the physical card ever being stolen.

The AI-generated nature of the injected code is a tactically significant detail. It suggests that the threat actors may not have required deep Android internals expertise to execute this modification, and that the time-to-deployment for trojanized application variants could be substantially compressed compared to traditionally handcrafted malware. This has downstream implications for detection: AI-generated code may exhibit unusual structural patterns, inconsistent coding styles, or atypical API call sequences that deviate from both the original application's codebase and known malware signatures.

Impact Assessment

The primary affected population is Android users in Brazil, particularly those who use contactless payment methods and mobile banking applications. Brazil represents one of the world's largest and most sophisticated digital payments markets, with contactless and NFC-based transactions having seen explosive growth in the Pix instant payment era. This makes it a high-value target for NFC relay fraud campaigns.

Real-world consequences extend beyond individual card fraud. Financial institutions face increased chargeback exposure and reputational liability. Corporate devices enrolled in BYOD programs, if compromised, could expose enterprise payment credentials or corporate card data. The use of an AI-assisted development pipeline by the threat actors also suggests potential for rapid geographic expansion — adapting the trojanized application for other regional NFC payment ecosystems represents a low-friction next step for a well-resourced group.

CypherByte's Perspective

This campaign is a meaningful data point in a broader trend that deserves sustained attention: the weaponization of legitimate developer tools and open-source frameworks as malware delivery infrastructure. NGate's migration from NFCGate to HandyPay is not an isolated choice — it reflects a deliberate threat actor strategy of hijacking trusted, functional software to bypass user suspicion and static detection heuristics. A user who previously used HandyPay legitimately, or who installs it on a recommendation, has no obvious reason to distrust what they're running.

The AI-generated code angle warrants particular scrutiny from the mobile security research community. If threat actors can now reliably use AI tooling to patch and trojanize applications without deep reverse engineering skill, the supply of viable threat actors capable of executing NFC relay campaigns expands considerably. Detection pipelines built on behavioral indicators and code similarity analysis will need to evolve to account for the structural unpredictability of AI-generated malicious payloads. At CypherByte, we assess this as an emerging capability shift that is likely to manifest across multiple malware families over the coming 12 to 18 months.

Indicators and Detection

Security teams should prioritize the following detection opportunities based on the known behavior of this NGate variant:

• Sideloaded APK installation: Monitor for Android package installations originating outside Google Play, particularly applications presenting as payment or NFC utility tools. MDM and UEM solutions should alert on INSTALL_PACKAGES permission usage from non-trusted sources.

• Anomalous NFC relay traffic: Network monitoring for outbound connections on non-standard ports from Android devices immediately following NFC read events may surface active relay sessions. Look for persistent low-latency TCP connections established by applications with NFC permissions.

• Accessibility service abuse: Applications requesting AccessibilityService permissions outside of declared assistive functionality should be flagged for review, particularly financial or utility applications distributed outside of official channels.

• Overlay activity: Monitor for SYSTEM_ALERT_WINDOW permission usage in applications that have no legitimate UI overlay requirement.

• Application integrity mismatch: If HandyPay is present on managed devices, verify the APK signature against the legitimate publisher's certificate. Any signature mismatch is a definitive indicator of compromise.

Recommendations

Security teams and defenders should take the following prioritized actions:

• Enforce application allowlisting on managed Android devices. Restrict installations to Google Play-verified applications only. Disable sideloading via MDM policy where operationally feasible, and enforce this through automated compliance checks.

• Deploy mobile threat defense (MTD) solutions capable of behavioral analysis on Android endpoints. Static signature-based AV is insufficient against trojanized legitimate applications, particularly those containing AI-generated payload code with novel structural patterns.

• Conduct immediate triage for HandyPay presence across managed Android device fleets. Any instance should be investigated for signature integrity before being permitted to continue operating.

• User awareness campaigns targeting Brazilian staff and customers should address the risk of installing applications from links received via SMS, WhatsApp, or email — the most probable delivery vector for this campaign.

• Financial institutions should review contactless transaction anomaly detection rules, specifically looking for card-present NFC transactions occurring in geographic locations inconsistent with the cardholder's recent activity or device location data.

• Threat intelligence teams should track NGate family evolution closely. Given the demonstrated willingness to pivot relay tool dependencies and adopt AI-assisted development, new variants targeting adjacent geographies or payment ecosystems should be anticipated within the current threat cycle.

The NGate-HandyPay campaign is a precise, financially motivated operation that exploits the inherent trust users extend to familiar, functional applications. Its technical sophistication — NFC relay, PIN harvesting, AI-assisted trojanization — places it firmly in the upper tier of mobile financial threats active today. Defenders who treat this as a Brazil-specific, isolated incident do so at their own risk.