Cybercriminals are exploiting a trojanized Android payment system to steal data and near field communication (NFC) PINs, which allow the creation of payment cards and the withdrawal of victims’ accounts.
According to ESET researchers, a new type of NGte malware is installed on the HandyPay NFC-relay application to transmit NFC data to the attacker’s device and use it to withdraw money without touching the ATM.
The use of AI is suspected in the campaign. “To exploit HandyPay, malicious actors are likely using GenAI, identified by emojis left in AI-generated text logs,” the researchers said in a blog post.
The campaign is distributing two malware samples, via a fake lottery website and a fake Google Play website, in an attack targeting Android users in Brazil starting in November 2025.
The official app that does the dirty work
ESET researchers pointed out that the campaign marks a shift by NGate operators from custom tools to the official trojanized application. HandyPay, originally designed to transfer NFC data between devices, is used to require minimal permissions and is integrated with expected payment workflows.
This approach avoids building custom tools from scratch, previously seen with NFGate exploits, and instead adds malicious code to an existing application that uses NFC. By reengineering the NFC transmission application, attackers are inheriting functionality that already handles key data exchanges, the researchers noted.
The NFC-relay application is a device that captures a wireless connection from a card or device and sends it in real time to another device, extending the Near Field Communication signal over a short distance through the network for remote use.
Because the app works within the expected NFC workflow, it’s easy for attackers to hide the attack.
Distribution channels include a fake lottery site pretending to be Brazil’s “Rio de Premios”, and a dirty Google Play page advertising a “card protection” tool.
AI is likely to be used
ESET researchers also noticed something unusual among the malware insiders. Some clues suggest that manufacturing AI may have played a role in its development.
Specifically, the injected malicious code contains emoji tags in debug logs, something more commonly associated with AI-generated output than human-written malware. The researchers noted that this is not definitive proof but is consistent with a broader trend of attackers using large-scale language models to speed up the creation of malware.
Android currently has some protection against this attack vector in the form of security notifications. “The victim needs to manually install the HandyPay version, as the app is only available outside of Google Play,” the researchers said. “When a user clicks the download app button in their browser, Android automatically blocks the installation and displays a prompt asking them to allow the installation from this source.”
For the attack to be successful, the user needs to tap Settings in the notification, enable “Allow from this source,” and go back to installing the app, a very common process with third-party app installation these days. There is nothing suspicious about the configuration of the “allow download” function to protect against this threat.
ESET has shared a list of directories on a dedicated GitHub site, including files, hashes, network directories, and MITER ATT&CK maps to support recovery efforts.
