A trojanized HandyPay application is used by threat actors to grab the NFC payment data of android users
A campaign in November 2025, which targeted Android users in Brazil, is still active and rising at an alarming rate. ESET researchers have discovered a new variant of the NGate malware family that uses a trojanized version of the HandyPay application to steal NFC payment data of Android users. Research suggests that the source code for the malware was written using a GenAI.
The threat actors are mainly targeting Android users in Brazil. This was found while analyzing the attackers' C&C server. This is done with the trojanized app widely circulated through a fake website impersonating a Brazilian lottery, "Rio de Prêmios", as well as through a fake Google Play page. When asked about this to HandyPay, they confirmed that an internal investigation is ongoing on their side.
Code snippet - Image via ESEST
A massive use of GenAI is used to develop malware. As seen in the above code snippet, the malware logs contain emojis, which are generally seen in AI-generated texts. This suggests that LLMs were used to modify or generate the code, although there is no conclusive proof.
Image via ESET
The start of the attack is done through the lottery page, where the victim clicks on the 'Button to claim prize' and installs the trojanized HandyPay apk. Once installed, the apk behaves as the original application, which makes it difficult for the user to detect anything unusual. The user is then asked to enter the PIN of the card into the app and tap the card at the back of the smartphone with NFC enabled. While in the background, the malware collects the victim's payment information and card data and relays it to the hacker. With this done, the threat actor can use this relayed data to perform contactless transactions as well as withdraw cash from the ATM.
While explaining, ESET said, "The operator’s device is linked to an email address hardcoded within the malicious app, ensuring that all captured NFC traffic is routed exclusively to the attacker. We have observed two different attacker email addresses being used in the analyzed samples. On top of the standard batch of data that is transferred in the NFC relay, the victim’s payment card PIN is exfiltrated separately to a dedicated C&C server over HTTP, not relying on HandyPay infrastructure. The C&C endpoint for PIN harvesting also functions as the distribution server, centralizing both delivery and data-collection operations".
Over the growing use of NFC payments, experts warn to be wary of such attacks and install applications from official sources. The use of Generative AI also triggers the idea that a person without technical expertise is bound to hack into payment systems.
- Karlston and phen0men4
-
2
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.