New NGate Malware Developed Using AI Hides in NFC Payment Apps
New NGate Malware Developed Using AI Hides in NFC Payment Apps 🚨
A new and more dangerous version of the NGate malware has been found hiding inside a trojanized NFC payment application. This time, threat actors appear to have used artificial intelligence to help write the malicious code, marking a significant shift in how cybercriminals are building attack tools today. The malware targets Android users by disguising itself as a legitimate app called HandyPay. Attackers took this app, quietly patched it with harmful code, and began distributing it outside the official Google Play Store.
Once installed on a victim’s phone, the trojanized version silently reads payment card data via NFC and forwards it to an attacker-controlled device. The attacker can then use that stolen card data to make contactless ATM withdrawals and unauthorized payments. 💳💸
In addition to stealing NFC data, the malware can also capture the victim’s payment card PIN and send it to the attackers’ command-and-control (C2) server over HTTP. WeLiveSecurity analysts and researchers identified this new NGate variant and noted that the malicious code showed clear signs of AI generation, including emojis left in log entries that are typical of text produced by large language models. The campaign has been running since November 2025 and continues to actively target Android users in Brazil.
The attacks are carried out through two separate distribution channels. The first uses a fake lottery website that impersonates a Brazilian state lottery organization called Rio de Premios. The site shows a rigged scratch card game where the user always wins R$20,000 and is then directed to send a WhatsApp message to claim the prize, after which they are guided to download the trojanized app. The second channel is a fake Google Play page distributing the malware under the name Protecao Cartao, meaning Card Protection in English. Both websites were hosted on the same domain, strongly indicating a single threat actor behind the entire operation.
Once a user installs the fake HandyPay app, the infection process begins with a simple but effective setup. The app asks to be set as the default NFC payment application on the device. This request does not look suspicious because it is part of the original HandyPay functionality. The app also asks the victim to enter their payment card PIN and then tap their physical card to the back of their phone. At that point, the malware reads the NFC card data and forwards it through the HandyPay relay service to the attacker’s device, which is linked to a hardcoded email address inside the malicious app. What makes this variant especially dangerous is that no special permissions are needed on the victim’s device to relay NFC data. The malicious app only requires being set as the default payment app, keeping the attack well below the radar of standard permission-based security checks. The card PIN is exfiltrated separately to the C2 server, giving attackers everything needed to perform both contactless payments and ATM cash-outs.
To mitigate this threat, users should only download payment apps directly from official sources like the Google Play Store and avoid installing apps from third-party websites or links shared over messaging apps. Enabling Google Play Protect on Android devices provides added protection, as it automatically detects known versions of this malware. Users should never enter their payment card PIN into a newly installed or unfamiliar app, especially one claiming to be a prize or card protection tool. If a payment app requests NFC access without coming from a trusted source, uninstall it immediately and report the incident to the relevant bank or card issuer.