NGate Malware Trojanizes Brazilian HandyPay App to Relay NFC Data and PINs

A fresh NGate campaign is targeting Brazilian banking customers by distributing a trojanized clone of HandyPay, a legitimate point-of-sale application. Once installed, the malware relays NFC card data from the victim’s device to an attacker-controlled handset in real time, enabling fraudulent contactless transactions at ATMs and terminals without ever possessing the physical card. The operation also harvests PINs entered through spoofed banking interfaces, giving operators everything needed to drain accounts or cash out at scale.

NGate’s technique — originally documented in European campaigns — abuses Android’s host card emulation and NFC relay capabilities to turn infected phones into remote-controlled proxies for victim cards. The Brazilian variant adapts social engineering and lure infrastructure to local banking brands, suggesting operators are iterating on regional targeting rather than running a single global campaign. Delivery relies on phishing sites and side-loaded APKs rather than Play Store distribution, which narrows reach but sidesteps store-level review.

The campaign exposes a structural weakness in contactless payment trust models: NFC protocols assume physical proximity between card and terminal, an assumption that relay malware breaks cleanly. Detection is difficult because the fraudulent transactions appear as legitimate in-person taps from the attacker’s device. Mitigation sits with issuers — transaction velocity checks, geographic anomaly detection, and stricter PIN verification thresholds — rather than end-user hygiene alone.