Threat Research

New NGate variant hides in a trojanized NFC payment app

ESET-welivesecurity
ESET Research discovered a new NGate variant that trojanizes the legitimate Android HandyPay app to relay NFC payment-card data and capture PINs for contactless ATM cash-outs and unauthorized payments. The campaign, active since November 2025 and targeting Android users in Brazil, spread trojanized samples via a fake Rio de Prêmios lottery site and a fake Google Play page, and evidence in the malware logs suggests the malicious code may have been generated with GenAI #NGate #HandyPay

Keypoints

  • ESET researchers identified a new NGate malware variant that maliciously patches the legitimate HandyPay Android app to relay NFC data and steal payment card information.
  • Artifacts in the malicious code (emoji in logs) indicate the threat actors likely used GenAI to generate or modify the injected code.
  • The campaign has been active since around November 2025 and specifically targets Android users in Brazil.
  • Compromised HandyPay not only relays NFC card data for contactless cash-outs but also captures victims’ payment card PINs and exfiltrates them to a C&C server over HTTP.
  • Two trojanized samples were distributed from the same domain via a fake Rio de Prêmios lottery site (social engineering via WhatsApp) and a fake Google Play page, implying a single operator.
  • ESET shared findings with Google and the HandyPay developer; Google Play Protect protects against known versions, and a full IoC list is available in ESET’s GitHub repository.

MITRE Techniques

  • [T1660 ] Phishing – NGate was delivered using malicious dedicated websites targeting victims. (‘NGate has been distributed using dedicated websites.’)
  • [T1417.002 ] Input Capture: GUI Input Capture – The trojanized app captures victims’ payment card PINs via a patched text box in the app UI. (‘NGate tries to obtain victims’ PIN codes via a patched text box.’)
  • [T1646 ] Exfiltration Over C2 Channel – Captured PINs are sent to the attackers’ C&C server over HTTP. (‘NGate exfiltrates victims’ PINs over HTTP.’)

Indicators of Compromise

  • [SHA-1 ] NGate sample hashes – 48A0DE6A43FC6E49318AD6873EA63FE325200DBC, A4F793539480677241EF312150E9C02E324C0AA2, and 1 more hash.
  • [Filename ] Trojanized APK filenames used in distribution – PROTECAO_CARTAO.apk, Rio_de_Prêmios_Pagamento.apk.
  • [Domain ] Distribution and hosting domain – protecaocartao[.]online (hosted distribution site serving trojanized apps).
  • [IP ] Hosting and C&C infrastructure – 104.21.91[.]170 (distribution website via Cloudflare), 108.165.230[.]223 (NGate C&C server).

Read more: https://www.welivesecurity.com/en/eset-research/new-ngate-variant-hides-in-a-trojanized-nfc-payment-app/