A new variant of the NGate malware family has been identified, leveraging a trojanized Android application to capture payment card data and PINs. According to research published by ESET on April 21, the new campaign has replaced earlier tooling with a modified version of HandyPay, a legitimate near-field communication (NFC) relay app, which enables attackers to intercept and reuse sensitive financial data. The researchers said the malicious version of HandyPay has been distributed since November 2025, and primarily targets users in Brazil. Once installed, the app relays NFC payment card data from victims to attacker-controlled devices, allowing fraudulent contactless transactions and ATM withdrawals. Two separate malware samples were observed, both delivered through phishing infrastructure hosted on the same domain. One impersonates a Brazilian lottery site, while the other mimics a Google Play listing for a card protection tool. Rather than relying on established malware-as-a-service (MaaS) kits, the operators modified HandyPay to include malicious functionality. The legitimate app allows users to share NFC card data between devices, a feature repurposed by attackers to forward payment information without raising suspicion. Victims are instructed to install the app manually after interacting with fake websites. Because the app is not available on the official store, Android prompts users during installation to allow apps from unknown sources. Once installed, the malware performs several actions: Captures NFC data from payment cards tapped on the device