Contactless payments processed over 1 trillion transactions globally in 2024 (Industry Analysis, 2024). That convenience has made NFC-enabled cards one of the most attractive targets in modern financial fraud — and attackers are getting significantly more sophisticated in how they exploit it.
The NGate malware campaign active in Brazil since November 2025 represents a meaningful evolution in NFC-based fraud. Rather than building custom tools or paying for expensive malware-as-a-service kits, threat actors trojanized HandyPay, a legitimate NFC relay application, to silently steal payment card data and PINs. Victims believe they are claiming a lottery prize or installing a card protection app. Instead, they hand attackers everything needed to drain their accounts at ATMs across the country.
This post breaks down exactly how the NGate HandyPay campaign works, what makes it so difficult to detect, and what security teams and financial institutions can do to identify and contain NFC relay fraud before it reaches their customers.
How NGate Malware Turns a Legitimate App Into a Fraud Tool
Most mobile banking malware announces itself through suspicious permission requests or unfamiliar app names. NGate takes a different approach — one that makes it genuinely harder to spot.
The HandyPay Trojanization Strategy
HandyPay is a legitimate Android NFC relay application that has been available on Google Play since approximately 2021. Its core function — relaying NFC card data between devices — is exactly what NGate operators needed. Rather than building relay infrastructure from scratch or licensing commercial NFC fraud kits costing 400–500 USD per month, attackers simply patched HandyPay's existing APK with malicious code.
The result is an app that behaves exactly as users expect a payment utility to behave, while running two hidden operations in parallel:
- NFC data capture: When the user taps their contactless card to the phone, the trojan relays the card data to an attacker-controlled device capable of emulating that card
- PIN exfiltration: The PIN entered by the victim is transmitted separately over HTTP to a command-and-control (C2) server
- Persistence without suspicion: Because HandyPay legitimately requires only default payment app status — no exotic permissions — users and security tools see nothing unusual
The C2 server also doubles as the malware distribution point, centralizing both payload delivery and stolen credential collection in a single infrastructure.
AI-Assisted Malware Development
Analysis of the injected malicious code revealed an unusual pattern: debug messages and toast notifications embedded in the code contained emojis — a stylistic artifact researchers associate with text generated by large language models (LLMs). This suggests the threat actors used generative AI tools to assist in writing or modifying portions of the malicious HandyPay patch.
This is significant beyond this single campaign. LLM-assisted malware development lowers the technical barrier for threat actors, accelerates iteration cycles, and may increase the volume and variety of future NFC fraud campaigns. The core threat model remains the same — but the speed at which new variants can emerge is increasing.
Important: The presence of AI-generated code does not make malware more or less dangerous on its own. It does mean that development cycles are compressing, and security teams should expect faster variant evolution within established malware families.
Distribution: Social Engineering Built Around Brazilian Trust
The trojanized HandyPay never appeared on Google Play. Every infection in the campaign required a victim to manually sideload an APK — which means the distribution strategy had to overcome Android's built-in sideloading warnings. The operators invested heavily in social engineering to make that happen.
The Rio de Prêmios Lottery Lure
The primary distribution vector impersonates Rio de Prêmios, the lottery operated by the state of Rio de Janeiro. Victims encounter a fraudulent website featuring a scratch-card game that always produces a large prize — reportedly up to R$20,000. To claim the prize, victims click a button that opens WhatsApp with a pre-filled message to an attacker-controlled number.
The WhatsApp profile uses imagery associated with Caixa Econômica Federal, Brazil's government-owned bank that administers federal lotteries, lending the interaction substantial perceived legitimacy. Victims are then instructed to download what appears to be the official Rio de Prêmios app — which is, in fact, the trojanized HandyPay APK.
This single flow combines three proven fraud techniques: lottery scam psychology, government brand impersonation, and social messaging channel exploitation.
The Fake "Card Protection" Play Store Page
A secondary infection path uses a spoofed Google Play–style landing page promoting an app called Proteção Cartão ("Card Protection"). The page mimics Play Store branding closely enough to appear credible to users unfamiliar with the subtle differences. The download ultimately delivers the same malicious APK.
Both vectors rely entirely on social engineering to bypass Android's sideloading protections. No vulnerability or zero-day is involved — victims must actively choose to install an app from an unknown source.
Table: NGate Distribution Vectors Compared
| Vector | Impersonation Target | Social Hook | User Action Required |
|---|---|---|---|
| Fake lottery website | Rio de Prêmios / Caixa Econômica Federal | Prize claim via scratch card | Enable sideloading, install APK |
| Fake Play Store page | Google Play Store | Card protection utility | Enable sideloading, install APK |
The Technical Attack Chain: From Installation to ATM Withdrawal
Understanding the complete attack chain helps security and fraud teams identify where detection and intervention are most feasible.
Step-by-Step Fraud Execution
Once the trojanized HandyPay is installed, the attack proceeds in a tightly coordinated sequence:
- The app requests default NFC payment app status — a normal request for this app category
- The UI prompts the victim to enter their payment card PIN
- The victim is instructed to tap their NFC-enabled card to the back of the phone
- The app captures the NFC card data and relays it over the network to an attacker-controlled device
- Simultaneously, the captured PIN is transmitted via HTTP to the C2 server
- The attacker uses the emulated card data — combined with the stolen PIN — to make contactless payments or withdraw cash at ATMs
Analysis of the C2 server identified logs from at least four confirmed victims, all geolocated in Brazil, containing PINs, timestamps, IP addresses, and device information.
Why Traditional Defenses Struggle
This attack chain creates specific detection challenges that standard mobile security controls are not designed to address:
- No anomalous permissions: The only permission required is default payment app status, which is expected behavior
- Legitimate app base: Signature-based detection must identify the modification, not the original app
- Sideloaded distribution: Play Protect scanning never encounters the malicious APK
- Trusted NFC behavior: The relay activity looks identical to legitimate HandyPay usage at the network level
Table: Detection Challenges by Defense Layer
| Defense Layer | Standard Coverage | Gap Against NGate HandyPay |
|---|---|---|
| Play Store scanning | High | Not applicable — sideloaded only |
| Permission-based detection | Moderate | App requires no suspicious permissions |
| Signature-based AV | Moderate | Must detect patched variant specifically |
| Network monitoring | Low-Moderate | HTTP C2 traffic may blend with app activity |
| Fraud transaction monitoring | Moderate | ATM relay fraud detectable via velocity/geolocation |
Pro Tip: For financial institutions, the most reliable detection point for NFC relay fraud is the transaction layer — not the device layer. Correlating card-present contactless transactions with device geolocation and known device fingerprints can surface anomalies that no endpoint control will catch.
Defensive Response: What Security and Fraud Teams Can Do
The NGate HandyPay campaign is active now. Security teams serving Brazilian users and financial institutions with Brazilian customer bases should treat this as an immediate operational concern, not a future planning item.
Detection Strategies for Financial Institutions
Transaction monitoring represents the most actionable defense point for banks and payment processors. Key signals to build into fraud detection rules include:
- Contactless transactions originating from device fingerprints that don't match the cardholder's known device profile
- ATM withdrawals immediately following contactless NFC activity from a different geographic location
- Multiple contactless transactions in rapid succession across different merchants or ATMs
- Card-present activity while the cardholder's registered mobile device is in a different location
Sharing indicators of compromise (IOCs) — including malicious APK hashes and C2 infrastructure details — across financial sector partners accelerates coordinated disruption of the campaign infrastructure.
Mobile Security Guidance for Enterprise and Consumer Contexts
For organizations advising employees or customers on mobile payment security, the NGate HandyPay campaign offers clear guidance:
- Never install financial apps from sources outside official app stores, regardless of how convincing the download page appears
- Treat any lottery, prize, or giveaway message that leads to an app download as a high-probability scam
- Verify payment app publishers by cross-referencing the developer name against the official Play Store listing before installation
- Report unexpected prompts asking you to tap your payment card to an app you just installed
Table: MITRE ATT&CK Mobile Techniques Used in NGate Campaign
| Technique | MITRE ID | Description |
|---|---|---|
| Repackaged Application | T1444 | Legitimate HandyPay APK trojanized with malicious code |
| Data from Local System | T1533 | NFC card data captured from device hardware |
| Exfiltration Over C2 | T1041 | PIN data sent via HTTP to attacker infrastructure |
| User Interface Spoofing | T1411 | Fake Play Store and lottery pages used for distribution |
Key Takeaways
- Never sideload financial or payment apps — both NGate distribution vectors required manual APK installation outside the Play Store
- Audit NFC payment app permissions in your mobile device management (MDM) policy; default payment app requests from unknown apps should trigger review
- Build NFC relay fraud detection into transaction monitoring rules using geolocation, device fingerprinting, and velocity analysis
- Share IOCs rapidly across financial sector partners — C2 infrastructure and APK hashes from NGate enable coordinated disruption
- Treat LLM-assisted malware development as a trend accelerant — expect faster variant evolution and plan detection update cycles accordingly
- Train users that trusted brands in messages don't equal safe downloads — government lottery impersonation is a primary social engineering lever in this campaign
Conclusion
The NGate HandyPay campaign demonstrates that NFC payment fraud has moved well beyond crude skimming devices and obvious malware. By weaponizing a legitimate application with built-in relay capabilities, attackers eliminated the most detectable elements of their operation — suspicious permissions, unknown app names, and novel network behavior — while achieving full card emulation and PIN theft.
For security professionals, the lesson is that trust in an app's origin or behavior model is no longer sufficient grounds for confidence. For financial institutions, the transaction layer remains the most reliable detection surface when device-level controls are bypassed. And for anyone advising end users on mobile security, the campaign is a stark reminder that social engineering targeting local brands and trusted payment contexts is more effective than any technical exploit.
Staying ahead of NFC fraud requires combining transaction anomaly detection, rapid IOC sharing, and consistent user education — all applied to a threat landscape that is now evolving faster with AI assistance.
Frequently Asked Questions
Q: What is NFC relay fraud and how does NGate use it? A: NFC relay fraud captures the contactless payment data from a victim's card and transmits it in real time to an attacker-controlled device that can emulate that card for fraudulent transactions. NGate achieves this by trojanizing HandyPay, prompting victims to tap their card to the infected phone, then relaying the captured data to attackers who use it for ATM withdrawals and contactless payments.
Q: How does the trojanized HandyPay avoid detection by Android security? A: The app requires only default payment app status — a permission that is entirely normal for an NFC relay application — which means permission-based detection systems see nothing suspicious. Because it is distributed exclusively through sideloading rather than the Play Store, Google Play Protect never scans it, and signature-based detection must specifically identify the patched variant rather than flagging the original legitimate app.
Q: What role does AI play in the NGate HandyPay campaign? A: Researchers identified stylistic indicators — including emoji-laden debug messages — suggesting that portions of the malicious code injected into HandyPay were generated or modified using large language model tools. This represents a broader trend in which threat actors use generative AI to accelerate malware development, lower the skill barrier for code modification, and iterate faster on existing malware families.
Q: How can financial institutions detect NFC relay fraud in their transaction data? A: The most reliable signals include card-present contactless transactions from device fingerprints that don't match the cardholder's known devices, rapid successive transactions across geographically dispersed locations, and ATM withdrawals immediately following contactless activity in a different region. Correlating card-present status with real-time device geolocation data significantly improves detection accuracy for relay-based fraud patterns.
Q: What compliance frameworks are relevant to mobile NFC fraud prevention? A: PCI DSS v4.0 mandates strong authentication and transaction monitoring controls directly applicable to contactless payment fraud scenarios. NIST SP 800-163 addresses mobile application vetting and is relevant for organizations managing NFC-capable enterprise devices. ISO 27001 Annex A controls covering access management and incident response provide the governance framework for coordinating detection and disruption across financial sector partners.
Enjoyed this article?
Subscribe for more cybersecurity insights.