Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical OpenAI Codex macOS App Bug Lets Attackers Inject Indirect Prompts
July 7, 2026
Microsoft Teams Vulnerability Lets Attackers Install RMM Tools and EtherRAT
July 7, 2026
Cavern Manticore Exploits SysAid RMM and WinDirStat DLL Sideloading for C2 Deployment
July 7, 2026
Home/Threats/New NGate AI-powered malware hides in NFC payment apps
Threats

New NGate AI-powered malware hides in NFC payment apps

Key Takeaways A new, more sophisticated variant of the NGate malware has been discovered, reportedly developed with the assistance of artificial intelligence. This malware specifically targets...

David kimber
David kimber
April 21, 2026 4 Min Read
27 0

Key Takeaways

  • A new, more sophisticated variant of the NGate malware has been discovered, reportedly developed with the assistance of artificial intelligence.
  • This malware specifically targets Android users by masquerading as legitimate NFC payment applications.
  • The trojanized apps steal payment card data and PINs, allowing attackers to perform unauthorized contactless payments and ATM withdrawals.
  • The campaign has been active since November 2025 and is primarily targeting users in Brazil through fake lottery sites and deceptive app store pages.

AI-Powered NGate Malware Hides in NFC Payment Apps, Stealing Card Data and PINs

Cybersecurity researchers have uncovered an advanced version of the NGate malware, notable for its reported development with artificial intelligence. This enhanced threat is engineered to infiltrate mobile devices by posing as legitimate Near-Field Communication (NFC) payment applications, presenting a significant risk to users.

Table Of Content

  • Key Takeaways
  • AI-Powered NGate Malware Hides in NFC Payment Apps, Stealing Card Data and PINs
  • Targeting Android Users with Trojanized HandyPay
  • Active Campaign and Distribution Channels
  • How the Trojanized App Operates
  • What You Should Do

A detailed analysis reveals the malware’s sophisticated capabilities and evasion tactics, which allow it to operate covertly within these compromised applications. A key finding from the research suggests that threat actors leveraged AI tools to generate portions of the malicious code, indicating a notable evolution in cybercriminal development methodologies.

Targeting Android Users with Trojanized HandyPay

The NGate variant primarily targets Android users by disguising itself as “HandyPay,” a genuine Android application available on Google Play since 2021. The legitimate HandyPay app facilitates NFC data transfer between devices for various everyday uses, such as sharing card information.

Attackers have taken this authentic application, injected it with malicious code, and are distributing it through unofficial channels, bypassing the rigorous security checks of the Google Play Store. Once installed on a victim’s smartphone, this trojanized version surreptitiously reads payment card data via NFC and transmits it to a device controlled by the attacker.

With the stolen card data, threat actors can execute unauthorized contactless ATM withdrawals and make fraudulent payments. Furthermore, the malware is capable of capturing the victim’s payment card PIN, which it then sends to the attackers’ command-and-control (C2) server over HTTP.

Analysts and researchers at WeLiveSecurity identified this new NGate variant. They observed clear indicators of AI-generated malicious code, including the presence of emojis within log entries—a characteristic often seen in output from large language models.

Active Campaign and Distribution Channels

The campaign employing this advanced NGate malware has been ongoing since November 2025, with a primary focus on Android users in Brazil. The attackers utilize two distinct distribution channels to propagate the malware:

  1. Fake Lottery Website: One method involves a deceptive lottery website that mimics “Rio de Premios,” a Brazilian state lottery organization. Users are presented with a rigged scratch card game, where they are guaranteed to “win” R$20,000. To claim the prize, victims are instructed to send a WhatsApp message, which subsequently directs them to download the trojanized application.
  2. Bogus Google Play Page: The second channel is a fraudulent Google Play page that distributes the malware under the guise of an app named “Protecao Cartao” (Card Protection).

Both malicious websites were found to be hosted on the same domain, strongly suggesting that a single threat actor is orchestrating the entire operation.

Geographical distribution of NGate attacks from January 2025 to February 2026 (Source - Welivesecurity)
Geographical distribution of NGate attacks from January 2025 to February 2026 (Source – Welivesecurity)

How the Trojanized App Operates

Upon installation of the fake HandyPay app, the infection process begins subtly. The application requests to be designated as the default NFC payment app on the device. This request appears innocuous, as it aligns with the expected functionality of the legitimate HandyPay application. The malware then prompts the victim to input their payment card PIN and tap their physical card against the phone’s back.

At this juncture, the malware intercepts the NFC card data and relays it through the HandyPay service to the attacker’s device, which is linked to a hardcoded email address embedded within the malicious app.

Trojanized HandyPay operational flow (Source - Welivesecurity)
Trojanized HandyPay operational flow (Source – Welivesecurity)

A particularly concerning aspect of this NGate variant is its ability to relay NFC data without requiring any special permissions on the victim’s device. By simply being set as the default payment application, the malware bypasses conventional permission-based security checks, making its detection more challenging.

Example of PIN exfiltration to the C2 server over HTTP (Source - Welivesecurity)
Example of PIN exfiltration to the C2 server over HTTP (Source – Welivesecurity)

The exfiltration of both card data and the PIN to the C2 server provides attackers with all necessary credentials to execute both contactless payments and ATM cash withdrawals, maximizing potential financial damage.

What You Should Do

  • Download Apps from Official Sources Only: Always obtain payment applications exclusively from trusted platforms like the Google Play Store. Avoid installing apps from third-party websites, unverified app stores, or links received via messaging apps.
  • Enable Google Play Protect: Ensure Google Play Protect is active on your Android device. It offers an additional layer of security by automatically identifying and blocking known malware variants.
  • Exercise Caution with PIN Entry: Never enter your payment card PIN into any newly installed or unfamiliar application, particularly those promoted as prize claims or card protection tools.
  • Verify NFC Access Requests: If an application requests NFC access and does not originate from a recognized and trusted source, immediately uninstall it. Report any suspicious incidents to your bank or card issuer.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwarePatchSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

GitHub Phishing Campaign Abuses OAuth Apps via Issue Notifications

Next Post

PureRAT Campaign Hides PE Payloads in PNG Files, Executes Filelessly

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical BeyondTrust Vulnerabilities Allow Access Control Bypass
July 7, 2026
Windows Device ID Used to Apprehend Scattered Spider Cybercriminal
July 7, 2026
Critical fast-mcp-telegram CVE-2023-4589 lets attackers access sensitive files
July 7, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us