Executive Summary
In November 2025, ESET researchers identified a new variant of the NGate malware family targeting Android users in Brazil. This variant exploits a legitimate NFC payment application called HandyPay by embedding malicious code, likely generated with the assistance of AI. The malware captures NFC data and payment card PINs from victims, enabling attackers to perform unauthorized contactless ATM withdrawals and payments. Distribution methods include fake lottery websites and counterfeit Google Play pages, indicating a coordinated effort by a single threat actor.
This incident underscores the evolving sophistication of cyber threats, particularly the integration of AI in malware development. The use of legitimate applications as vectors for malware distribution highlights the need for heightened vigilance and robust security measures to protect sensitive financial information.
Why This Matters Now
The integration of AI in malware development, as seen in this NGate variant, lowers the barrier for cybercriminals, enabling more sophisticated attacks with less effort. The exploitation of legitimate applications for malicious purposes emphasizes the urgency for enhanced security protocols and user awareness to prevent unauthorized access to sensitive financial data.
Attack Path Analysis
Attackers distributed a trojanized version of the HandyPay app via fake lottery and Google Play websites, leading victims to install the malicious app. Upon installation, the app prompted users to set it as the default payment application and enter their payment card PINs. The malware then relayed NFC payment data and PINs to attacker-controlled devices, enabling unauthorized transactions. Exfiltrated data was sent over HTTP to the attackers' command-and-control servers. The stolen payment information was used for contactless ATM cash-outs and unauthorized payments, resulting in financial losses for victims.
Kill Chain Progression
Initial Compromise
Description
Attackers distributed a trojanized version of the HandyPay app via fake lottery and Google Play websites, leading victims to install the malicious app.
MITRE ATT&CK® Techniques
Phishing
Obfuscated Files or Information
Input Capture: GUI Input Capture
Exfiltration Over C2 Channel
Exploitation for Privilege Escalation
Masquerading: Match Legitimate Name or Location
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity Management and Access Control
Control ID: Identity
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Mobile malware targeting NFC payment cards enables ATM cash-outs and unauthorized transactions, directly compromising financial transaction security and customer trust.
Banking/Mortgage
NGate malware's PIN capture and NFC relay attacks threaten banking card security, enabling fraudulent withdrawals and bypassing traditional payment protections.
Consumer Electronics
Android devices with NFC capabilities become attack vectors for payment fraud through trojanized apps, requiring enhanced mobile security measures.
Telecommunications
Mobile network infrastructure facilitates malware distribution and C&C communications, with encrypted traffic capabilities needed to prevent data exfiltration attacks.
Sources
- New NGate variant hides in a trojanized NFC payment apphttps://www.welivesecurity.com/en/eset-research/new-ngate-variant-hides-in-a-trojanized-nfc-payment-app/Verified
- ESET Threat Report: AI-driven attacks on the rise; NFC threats increase and evolve in sophisticationhttps://www.eset.com/gr-en/about/newsroom/press-releases-1/eset-threat-report-ai-driven-attacks-on-the-rise-nfc-threats-increase-and-evolve-in-sophistication/Verified
- ESET Research discovers NGate: Android malware, which relays NFC traffic to steal victim’s cash from ATMshttps://www.eset.com/us/about/newsroom/research/eset-research-discovers-ngate-android-malware-which-relays-nfc-traffic-to-steal-victims-cash-from-atms-1/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the malware's ability to exfiltrate sensitive payment data and reduced the attacker's capacity for lateral movement within the network.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The CNSF may have limited the malware's ability to communicate with unauthorized external servers, thereby reducing the risk of data exfiltration.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation could have constrained the app's access to sensitive payment systems, potentially limiting its ability to capture and misuse payment card PINs.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security would likely have limited the malware's ability to move laterally within the network, reducing the risk of unauthorized data relay to attacker-controlled devices.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control may have identified and restricted unauthorized outbound HTTP traffic to known malicious command-and-control servers.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement could have constrained the malware's ability to transmit stolen payment information externally, thereby reducing the risk of financial losses.
The implementation of Aviatrix Zero Trust CNSF controls would likely have reduced the overall impact by limiting the extent of data exfiltration and unauthorized transactions.
Impact at a Glance
Affected Business Functions
- Mobile Payment Processing
- Customer Financial Data Security
- Fraud Detection Systems
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of payment card information and PINs of affected users.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict application permissions and prevent unauthorized access to sensitive data.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing data exfiltration to unauthorized destinations.
- • Utilize Threat Detection & Anomaly Response to identify and respond to unusual application behaviors indicative of compromise.
- • Deploy Inline IPS (Suricata) to detect and block known exploit patterns and malicious payloads in network traffic.
- • Ensure Cloud Firewall (ACF) is configured to filter and control outbound connections, reducing the risk of data exfiltration.
