Android NFC Stealer NGate Targets Brazil via Fake Lottery and Counterfeit Google Play Page
| Group | Unknown. Attribution unconfirmed. Financially motivated cybercriminal actor. |
| Type | Android NFC Relay Malware / Mobile Infostealer |
| Malware | Android/Spy.NGate.CC and Android/Spy.NGate.CB — trojanised versions of the legitimate HandyPay NFC relay application, augmented with AI-generated malicious code to capture payment card PINs and relay NFC card data to attacker-controlled devices |
| Score | 🟠8.5 High. Active exploitation confirmed with real victims. Novel use of AI-generated malicious code. Enables immediate financial fraud via contactless ATM withdrawals and card payments. |
| Observed | 22 April 2026 |
Overview
ESET Research published findings on 21 April 2026 confirming a new variant of the NGate Android malware family is actively targeting consumers in Brazil. Unlike prior NGate campaigns that relied on the open-source NFCGate library for NFC data relay, this operation trojanises HandyPay, a commercially available NFC relay application available on Google Play since 2021. The switch to HandyPay is deliberate: existing malware-as-a-service NFC kits cost hundreds of dollars per month, while HandyPay's lower subscription model made it an economically attractive target for the operators.
The campaign has been running since at least November 2025, making it one of the longer-running active NGate operations. Brazil is a new addition to the NGate target map, representing the first known campaign from this malware family to focus exclusively on South American users. ESET confirmed four devices geolocated in Brazil were compromised, with captured PINs, IP addresses, and timestamps recovered from the attacker's command-and-control server logs.
What distinguishes this variant technically is strong evidence that the malicious payload injected into HandyPay was written or modified using a large language model. Debug and toast messages within the injected code contain emoji characters that are characteristic of AI-generated output. This marks a clear shift in attacker tooling and indicates threat actors are now using generative AI to lower the development cost and skill barrier for mobile malware production.
The attack chain is straightforward but effective. Victims are lured via fake websites and a counterfeit Google Play page into installing the trojanised app, which then silently forwards NFC card data to the attacker's device while capturing the victim's PIN through a spoofed input screen. The attacker can subsequently use that card data and PIN combination to make contactless withdrawals at ATMs or complete unauthorised payments, entirely without physical access to the victim's card.
Key Details
Delivery Method – Trojanised Android APK distributed outside Google Play via a fake lottery website impersonating Rio de Prêmios (the Rio de Janeiro state lottery) and a counterfeit Google Play web page advertising an app called Proteção Cartão (Card Protection).
Target – Android users in Brazil. Broader targeting across any country is plausible as the campaign scales. Primary financial exposure is to individuals using contactless payment-enabled debit and credit cards.
Functions
- Relays NFC card data from the victim's device to an attacker-controlled device using the HandyPay relay service
- Captures payment card PINs through a fake PIN input overlay within the trojanised app
- Exfiltrates captured PINs to a remote C2 server over unencrypted HTTP
- Enables the threat actor to perform contactless ATM withdrawals and card payments using relayed NFC data combined with the stolen PIN
- Masquerades as a legitimate financial application to avoid raising suspicion during installation
Obfuscation – No elevated Android permissions are requested beyond setting the app as the default NFC payment application, a request that appears routine. AI-generated malicious payload reduces the code fingerprint that would otherwise flag handwritten malware to static analysis tools.
Attack Vectors
Stage 1 — Social Engineering via Fake Lottery Site: Victims arrive at a website mimicking Rio de Prêmios, the official Rio de Janeiro state lottery. The page presents a fake scratch card game where every attempt returns an apparent prize of R$20,000. Victims are directed to tap a button to claim their winnings, which opens a pre-drafted WhatsApp message to a threat actor-controlled contact. This WhatsApp interaction is the likely handoff point where victims are directed to download the trojanised HandyPay APK hosted on the same server.
Stage 2 — Counterfeit Google Play Distribution: A second delivery vector is a fake Google Play web page advertising Proteção Cartão (Card Protection). Both the fake lottery site and this fake Play page are hosted on the same domain, confirming a single coordinated threat actor behind both distribution channels.
Stage 3 — Installation and Permission Capture: Because the APK is distributed outside the official Play Store, Android displays a sideload warning during installation. The app requests only one permission: to be set as the default NFC payment application. This request mimics the standard setup flow for any legitimate NFC payment app and does not trigger unusual permission warnings.
Stage 4 — NFC Relay and PIN Exfiltration: Once installed, the trojanised HandyPay prompts the victim to enter their payment card PIN and tap their physical card against the back of their phone. The malicious overlay captures the PIN and exfiltrates it to the C2 server over HTTP. HandyPay's own NFC relay service simultaneously transmits the card's NFC data to an attacker-controlled device. The attacker, now holding both the relayed NFC signal and the stolen PIN, can perform contactless ATM withdrawals or card purchases in real time.
Known Indicators of Compromise
Indicators may vary across campaigns and malware samples. Verify all IOCs against current threat feeds before actioning.
File Hashes (SHA-1)
| SHA-1 Hash | Filename | Detection | Description |
|---|---|---|---|
48A0DE6A43FC6E49318AD6873EA63FE325200DBC | PROTECAO_CARTAO.apk | Android/Spy.NGate.CC | NGate Android malware — Proteção Cartão variant |
A4F793539480677241EF312150E9C02E324C0AA2 | PROTECAO_CARTAO.apk | Android/Spy.NGate.CB | NGate Android malware — Proteção Cartão variant |
94AF94CA818697E1D99123F69965B11EAD9F010C | Rio_de_Prêmios_Pagamento.apk | Android/Spy.NGate.CB | NGate Android malware — fake lottery variant |
Network Indicators
| IP Address | Domain | Provider | First Seen | Role |
|---|---|---|---|---|
104.21.91[.]170 | protecaocartao[.]online | Cloudflare, Inc. | 2025-11-08 | NGate distribution website (single source — verify before blocking) |
108.165.230[.]223 | N/A | BattleHost (KAUA REIS DA SILVA) | 2025-11-09 | NGate C2 server |
Distribution URLs
| URL | Purpose |
|---|---|
hxxps://protecaocartao[.]online | Primary distribution domain for both NGate APK samples |
MITRE ATT&CK Techniques
| Technique ID | Technique Name | Application in This Campaign |
|---|---|---|
| T1660 | Phishing | Victims lured via fake lottery and fake Google Play websites hosting malicious APKs |
| T1417.002 | Input Capture: GUI Input Capture | Trojanised app presents fake PIN entry screen to steal payment card PIN |
| T1646 | Exfiltration Over C2 Channel | Stolen PINs exfiltrated to C2 server over unencrypted HTTP |
| T1444 | Masquerade as Legitimate Application | HandyPay trojanised to appear as a legitimate NFC payment or card protection app |
| T1481 | Web Service Abuse | HandyPay's legitimate NFC relay service abused to transmit card data to attacker device |
Mitigation and Prevention
Block Sideloaded APK Installation
Android's default protection against sideloading is the first and most effective barrier against this threat. Users and mobile device management (MDM) policies should enforce that app installations are permitted only from the official Google Play Store. Disabling "Install Unknown Apps" in Android settings blocks the delivery vector entirely.
Treat Lottery and Prize Notification Messages with Suspicion
The primary social engineering vector is a fake lottery website guaranteeing a cash prize of R$20,000. Users receiving unsolicited links to lottery claims via WhatsApp, SMS, or social media should verify the URL against the official lottery domain before interacting with any download button. Legitimate lotteries do not require installation of third-party apps to claim prizes.
Verify NFC Payment App Permissions Before Approval
Any app requesting to become the default NFC payment application warrants scrutiny. Users should confirm the app is from a recognised, verified publisher on the official Play Store before granting this permission. A freshly installed app with no Play Store presence asking to handle NFC payments is a strong indicator of compromise.
Deploy Mobile Threat Defence on Managed Devices
Enterprise and government MDM solutions should include mobile threat defence (MTD) capable of detecting trojanised APKs through behavioural analysis. ESET detects both variants under Android/Spy.NGate.CC and Android/Spy.NGate.CB. Ensure device security products carry up-to-date definitions and are scanning sideloaded app activity.
Monitor for AI-Generated Malware Signatures
This campaign is among the first confirmed cases of AI-generated malicious code in an Android infostealer. Static analysis teams should expand detection heuristics to account for LLM-generated code patterns, which can produce syntactically unusual but structurally valid payloads that bypass rules tuned against handwritten malware.
Block C2 Infrastructure at Network Perimeter
Block outbound connections to 108.165.230[.]223 and protecaocartao[.]online at the network perimeter and in DNS filtering solutions. HTTP exfiltration of PINs to the C2 server can be detected by content inspection tools watching for abnormal POST requests from mobile endpoints.
Report Fraudulent App Distribution Sites
If the fake Rio de Prêmios or fake Google Play pages are discovered by users, they should be reported to Google Safe Browsing and local CERT authorities. Reporting accelerates domain takedown and reduces the window of exposure for other potential victims.
Risk Assessment
NFC-based payment fraud is expanding rapidly and this campaign reflects a meaningful evolution in attacker methodology. The switch from the well-known NFCGate library to HandyPay demonstrates that threat actors are actively monitoring commercial NFC tooling for cost-effective alternatives to established MaaS offerings. The introduction of AI-generated payload code is a stronger signal: if LLMs can be used to write functional NFC relay malware with PIN capture capability, the development overhead for mobile financial fraud drops substantially, lowering the barrier for entry-level criminal actors.
The confirmed four victims identified in C2 server logs are almost certainly an undercount given the campaign has been active since November 2025. The attack method requires no elevated Android permissions, making it effectively invisible to permission-based detection heuristics used by many consumer antivirus products. For financial institutions with customer bases in Brazil, the risk of chargebacks and fraud disputes from ATM transactions conducted via relayed NFC signals is real and immediate.
The geographic pivot to Brazil is significant. Brazil has one of the world's highest rates of contactless payment adoption, and its banking environment runs on infrastructure that does not universally enforce liveness detection during NFC-based ATM withdrawals. Threat actors selecting Brazil as the first South American target for NGate have clearly assessed the technical and regulatory environment as favourable to this type of fraud.
Conclusion
The most urgent action is straightforward: any Android user who has installed a financial or lottery application from a link received via WhatsApp or a non-Play Store web page should uninstall that application immediately, check card statements for unauthorised contactless transactions, and contact their bank to request a card replacement. IT and security teams should block the confirmed C2 infrastructure and add the published SHA-1 hashes to their mobile threat detection platforms.
This campaign illustrates a convergence of two trends that will define mobile security through the remainder of 2026: the commoditisation of NFC relay tooling via trojanised legitimate apps, and the adoption of generative AI to reduce malware development costs. Both trends favour attackers. Defenders need mobile threat detection that operates on behavioural signals rather than static signatures, because AI-generated payloads will continue to slip past rules written for human-authored code.
Sources
- ESET Research — New NGate variant hides in a trojanised NFC payment app (April 2026)
- The Hacker News — NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs (April 2026)
- BleepingComputer — NGate Android malware uses HandyPay NFC app to steal card data (April 2026)
- Help Net Security — NGate NFC malware targets Android users through trojanised payment app (April 2026)
- GlobeNewswire — ESET Research: New NGate hides in NFC payment app, possibly built with AI (April 2026)
- ESET GitHub — NGate IoC Repository