"The threat actors took the app, which is used to relay NFC data, and patched it with malicious code that appears to have been AI-generated," ESET security researcher Lukáš Štefanko wrote in a report. What happens when a legitimate mobile utility becomes the delivery vehicle for theft of payment credentials — and what does it mean when that vehicle is altered with code that may have been produced by artificial intelligence?
What researchers uncovered
Security researchers have identified a new iteration of an Android malware family known as NGate. According to reporting on the discovery, this variant does not reuse the previously observed NFCGate component; instead, operators have trojanized a legitimate application called HandyPay. The published account indicates the campaign targets Brazil and aims to steal NFC data and PINs.
How the infection was implemented, as reported
Investigators say the threat actors took the HandyPay application — a program used to relay NFC data — and modified it by adding malicious code. ESET security researcher Lukáš Štefanko characterized those modifications as appearing to be AI-generated. The result, as described in the report, is a HandyPay package that functions as a trojanized drop point for the NGate family.
Why this matters
- For technologists: the substitution of one legitimate NFC relay app for another in a malware campaign underscores the threat posed by supply-chain or repackaging techniques, and the report flags the use of code that appears AI-generated.
- For policymakers: the campaign's reported focus on Brazil and its targeting of NFC and PIN data raises questions about cross-border criminal use of mobile payment infrastructure and the need for monitoring and response strategies aligned with emerging threats.
- For users: the episode highlights how an otherwise useful utility — an app that relays NFC data — can be altered to behave maliciously, with potential consequences for sensitive payment information.
- For adversaries: the reported incorporation of AI-like code into commodity malware illustrates how attackers may seek to accelerate development or evade detection by blending automated code generation with known repackaging methods.
Looking ahead
The discovery of this NGate iteration, its trojanizing of HandyPay, and the reported use of code that appears AI-generated together present a compact but worrying pattern: trusted applications repurposed for credential theft, and tooling that may shorten attackers' development cycles. How defenders, regulators, and users respond to such patterns will shape whether this episode is an isolated case or a bellwether for broader shifts in mobile-payment threats.
Original reporting: https://thehackernews.com/2026/04/ngate-campaign-targets-brazil.html
