Token Theft

NGate: New Android Campaign Targets Brazil with Trojanized NFC Stealers

The CyberSignal

The CyberSignal

3 min read
Share
Minimalist vector art of an NFC signal being intercepted from a smartphone on a terracotta orange background.

Researchers have uncovered a sophisticated evolution of the NGate malware family, which now weaponizes legitimate payment applications to intercept card data and relay physical transactions across the internet in real-time.

SÃO PAULO, BRZ — A high-impact cyber-espionage and financial theft campaign is currently sweeping through Brazil, utilizing a new variant of the NGate Android malware. According to technical findings from ESET Research, attackers are trojanizing HandyPay, a legitimate NFC payment utility, to intercept Near-Field Communication (NFC) data and PINs directly from victims' physical credit and debit cards.

The campaign is notable for its implementation of NFC Relay technology. This allows attackers to transmit stolen card data from a victim's smartphone to an attacker-controlled device, which can then be used to perform unauthorized physical transactions at ATMs and Point-of-Sale (PoS) terminals hundreds of miles away.

NGate Attack Chain: Technical Comparison

Attack Feature Technical Capability
NFC Relay Real-time transmission of EMV card data from victim's phone to attacker's ATM device via internet.
PIN Harvesting Uses malicious UI overlays to capture numeric PIN codes during the "verification" process.
AI-Optimization Utilized LLMs for rapid Portuguese localization and code refactoring of open-source NFC libraries.

The Mechanism: Breaking the Contactless Barrier

The NGate malware does not just steal stored data; it acts as a digital bridge between a victim's physical card and an attacker’s hardware.

According to reports from The Hacker News and BleepingComputer, the attack chain involves several coordinated steps that bypass traditional banking security:

  • The Hook: Victims receive SMS or phishing messages regarding "unauthorized transactions" or "expired banking apps," directing them to a malicious landing page to download a "security update."
  • The Trojan: The downloaded app is a modified version of HandyPay. Once installed, it prompts the user to "verify" their physical card by tapping it against the back of their phone.
  • NFC Interception: The malware leverages the NFCGate open-source library to capture the card’s Unique Identifier (UID) and encrypted payment data. Simultaneously, it uses a fake UI overlay to record the user’s numeric PIN.
  • The Relay: The captured data is relayed via the internet to an attacker's secondary Android device. This second device "clones" the signal, allowing the attacker to tap an ATM or PoS terminal as if the physical card were present.

NGate’s success in trojanizing HandyPay is a direct echo of the FakeWallet infiltration of the Apple App Store, proving that "Walled Gardens" are increasingly porous to financial malware and banking trojans.

The AI Component: Rapid Development

Analysis by CyberPress and ESET suggests that this latest iteration of NGate may have been built or refined with the assistance of generative AI. The speed at which the malware was adapted to target specific Brazilian financial institutions — and the clean integration of the open-source NFCGate components — points toward an AI-accelerated development cycle.

Furthermore, researchers noted that the phishing sites used in this campaign were remarkably well-designed, featuring localized Portuguese that lacked the typical grammatical errors often seen in cross-border financial scams.

The CyberSignal Analysis

Signal 01 — The End of "Short-Range" Security

This incident is a definitive signal for mobile security. For years, NFC was considered inherently secure because an attacker had to be within centimeters of the target. NGate proves that hardware protocols are now software-defined. For B2B leaders, the signal is that mobile device management (MDM) must now include strict controls over NFC permissions and the installation of third-party APKs, as the "physical distance" defense is officially dead.

Signal 02 — The Tokenization of Physical Assets

This is a high-fidelity signal for token theft. The malware effectively turns a physical credit card into a digital token that can be moved across a network. As we transition toward passwordless environments, threat actors are focusing on the transfer of the credential rather than just the theft of the password. Resilience in 2026 means adopting contactless transaction limits and behavioral monitoring that flags "impossible travel" — where a card is tapped in São Paulo but the relay transaction occurs in another city seconds later.

Signal 03 — AI-Accelerated Malware Evolution

This represents a significant signal for threat intelligence. The possible use of AI to refactor open-source tools (NFCGate) into localized malware (NGate) demonstrates how the barrier to entry for complex hardware attacks is dropping. Security teams must move toward automated detection that monitors for the unauthorized activation of the NFC radio by non-system apps, as manual signature updates cannot keep pace with AI-generated malware variants.

Sources

Type Source
Primary Disclosure ESET: The NGate Malware Report
Technical Intel The Hacker News: NGate Targets Brazil
Malware Analysis BleepingComputer: HandyPay Abuse
Research Brief CyberPress: AI-Powered NGate Analysis
Industry Context Infosecurity: Trojanized Android Analysis

Read more