New NGate AI-powered malware hides in NFC payment apps
Key Takeaways A new, more sophisticated variant of the NGate malware has been discovered, reportedly developed with the assistance of artificial intelligence. This malware specifically targets...
Key Takeaways
- A new, more sophisticated variant of the NGate malware has been discovered, reportedly developed with the assistance of artificial intelligence.
- This malware specifically targets Android users by masquerading as legitimate NFC payment applications.
- The trojanized apps steal payment card data and PINs, allowing attackers to perform unauthorized contactless payments and ATM withdrawals.
- The campaign has been active since November 2025 and is primarily targeting users in Brazil through fake lottery sites and deceptive app store pages.
AI-Powered NGate Malware Hides in NFC Payment Apps, Stealing Card Data and PINs
Cybersecurity researchers have uncovered an advanced version of the NGate malware, notable for its reported development with artificial intelligence. This enhanced threat is engineered to infiltrate mobile devices by posing as legitimate Near-Field Communication (NFC) payment applications, presenting a significant risk to users.
Table Of Content
A detailed analysis reveals the malware’s sophisticated capabilities and evasion tactics, which allow it to operate covertly within these compromised applications. A key finding from the research suggests that threat actors leveraged AI tools to generate portions of the malicious code, indicating a notable evolution in cybercriminal development methodologies.
Targeting Android Users with Trojanized HandyPay
The NGate variant primarily targets Android users by disguising itself as “HandyPay,” a genuine Android application available on Google Play since 2021. The legitimate HandyPay app facilitates NFC data transfer between devices for various everyday uses, such as sharing card information.
Attackers have taken this authentic application, injected it with malicious code, and are distributing it through unofficial channels, bypassing the rigorous security checks of the Google Play Store. Once installed on a victim’s smartphone, this trojanized version surreptitiously reads payment card data via NFC and transmits it to a device controlled by the attacker.
With the stolen card data, threat actors can execute unauthorized contactless ATM withdrawals and make fraudulent payments. Furthermore, the malware is capable of capturing the victim’s payment card PIN, which it then sends to the attackers’ command-and-control (C2) server over HTTP.
Analysts and researchers at WeLiveSecurity identified this new NGate variant. They observed clear indicators of AI-generated malicious code, including the presence of emojis within log entries—a characteristic often seen in output from large language models.
Active Campaign and Distribution Channels
The campaign employing this advanced NGate malware has been ongoing since November 2025, with a primary focus on Android users in Brazil. The attackers utilize two distinct distribution channels to propagate the malware:
- Fake Lottery Website: One method involves a deceptive lottery website that mimics “Rio de Premios,” a Brazilian state lottery organization. Users are presented with a rigged scratch card game, where they are guaranteed to “win” R$20,000. To claim the prize, victims are instructed to send a WhatsApp message, which subsequently directs them to download the trojanized application.
- Bogus Google Play Page: The second channel is a fraudulent Google Play page that distributes the malware under the guise of an app named “Protecao Cartao” (Card Protection).
Both malicious websites were found to be hosted on the same domain, strongly suggesting that a single threat actor is orchestrating the entire operation.

How the Trojanized App Operates
Upon installation of the fake HandyPay app, the infection process begins subtly. The application requests to be designated as the default NFC payment app on the device. This request appears innocuous, as it aligns with the expected functionality of the legitimate HandyPay application. The malware then prompts the victim to input their payment card PIN and tap their physical card against the phone’s back.
At this juncture, the malware intercepts the NFC card data and relays it through the HandyPay service to the attacker’s device, which is linked to a hardcoded email address embedded within the malicious app.

A particularly concerning aspect of this NGate variant is its ability to relay NFC data without requiring any special permissions on the victim’s device. By simply being set as the default payment application, the malware bypasses conventional permission-based security checks, making its detection more challenging.

The exfiltration of both card data and the PIN to the C2 server provides attackers with all necessary credentials to execute both contactless payments and ATM cash withdrawals, maximizing potential financial damage.
What You Should Do
- Download Apps from Official Sources Only: Always obtain payment applications exclusively from trusted platforms like the Google Play Store. Avoid installing apps from third-party websites, unverified app stores, or links received via messaging apps.
- Enable Google Play Protect: Ensure Google Play Protect is active on your Android device. It offers an additional layer of security by automatically identifying and blocking known malware variants.
- Exercise Caution with PIN Entry: Never enter your payment card PIN into any newly installed or unfamiliar application, particularly those promoted as prize claims or card protection tools.
- Verify NFC Access Requests: If an application requests NFC access and does not originate from a recognized and trusted source, immediately uninstall it. Report any suspicious incidents to your bank or card issuer.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.