NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs

What’s new: A new campaign utilizing the NGate malware targets users in Brazil by trojanizing the HandyPay application to steal NFC data and payment card PINs. The malware allows attackers to relay NFC data from victims’ payment cards to their devices for unauthorized transactions, including ATM cash-outs. The campaign has been active since November 2025 and leverages fake lottery websites to distribute the malicious app.

Who’s affected

Users in Brazil who download the trojanized HandyPay app, which is not available on the Google Play Store, are at risk. The campaign specifically targets individuals using NFC-enabled payment cards.

What to do

• Advise users to avoid downloading apps from unofficial sources and to verify app legitimacy before installation.
• Encourage users to monitor their bank statements for unauthorized transactions and report any suspicious activity immediately.
• Implement security measures such as mobile device management (MDM) to restrict app installations on corporate devices.

Sources

• The Hacker News