A new and more dangerous version of the NGate malware hidden in a payment NFC application known as HandyPay has been detected. This malicious software has been active since November 2025 and uses artificial intelligence to write its code, marking a significant shift in the techniques employed by cybercriminals to develop attack tools.
Do not enter your card PIN in unknown applications
The HandyPay application, which is originally legitimate and available on Google Play since 2021, has been trojanized. The attackers have distributed this malicious version outside the official store, using two distinct channels. The first involves a fake lottery website that simulates being the Brazilian lottery organization Rio de Premios, where users are lured with a fraudulent scratch card game. The second channel involves a fake Google Play page aimed at deceiving users into downloading the malware under the name Card Protection.
Once the application is installed, HandyPay asks the user to set it as the default NFC payment app. This seems harmless as it is part of the original functionality of the app. However, when the user enters their card PIN and brings their card close to the phone, the malware captures the card information and sends it to the attacker-controlled device without requiring special permissions, making it difficult to detect.
Researchers from WeLiveSecurity have identified that the malicious code contains signs of generation by artificial intelligence. Users are advised to download paid applications only from official sources and to enable Google Play Protect for added security. Additionally, it is crucial not to enter the card PIN in unknown applications, especially those that seem to offer prizes or card protection.