Cyber crooks are abusing a trojanized Android payment application to steal near field communication (NFC) data and PINs, enabling cloning of payment cards and draining victim accounts.
According to ESET researchers, a new variant of the NGate malware has been infused into the HandyPay NFC-relay application to transfer NFC data to the attacker’s device and use it for contactless ATM cash-outs.
Use of AI is suspected in the campaign. “To trojanize HandyPay, threat actors most probably used GenAI, indicated by emoji left in the logs that are typical of AI-generated text,“ the researchers said in a blog post.
The campaign has been distributing two malware samples, through a fake lottery website and a fake Google Play website, in attacks targeting Android users in Brazil since November 2025.
Legit app doing the dirty work
ESET researchers pointed out that the campaign marks NGate operators shifting from custom tooling to a trojanized legitimate application. HandyPay, originally designed to relay NFC data between devices, is being used to require minimal permissions and blend into expected payment workflows.
This approach avoids building custom tooling from scratch, previously seen with the NFCGate abuse, and instead adds malicious code into an existing NFC-capable app. By repurposing an NFC relay app, the attackers inherit functionality that already handles the core data exchange, the researchers noted.
An NFC-relay app is a tool that captures contactless communication from a card or device and forwards it in real time to another device, extending the short-range Near Field Communication signal over a network for remote use.
Because the app operates within expected NFC workflows, it is easier for attackers to mask the attack.
The distribution channels include a fake lottery site impersonating Brazil’s “Rio de Premios,” and a spoofed Google Play page advertising a “card protection” tool.
AI was likely used
ESET researchers also spotted something unusual in the malware’s internals. Some traces suggested generative AI may have played a role in its development.
Specifically, the injected malicious code contains emoji markers in debug logs, something more commonly associated with AI-generated output than human-written malware. The researchers noted that this isn’t definitive proof but aligns with a broader trend of attackers using large language models to accelerate malware creation.
Android presently has some protection against this attack vector in the form of security alerts. “The victim needs to manually install a trojanized version of HandyPay, since the app is only available outside Google Play,” the researchers said. “When a user taps the download app button in their browser, Android automatically blocks the install and shows a prompt asking them to allow installation from this source.”
For the attack to be successful, the user then needs to tap Settings in the prompt, enable “Allow from this source,” and return to installing the app, a process quite common with third-party app installation these days. Nothing particularly suspicious stands out in the “allow download” workflow to protect against this threat.
ESET shared a list of indicators in a dedicated GitHub repository, which included files, hashes, network indicators, and MITRE ATT&CK maps to support detection efforts.
