NGate Malware Targets Brazilian Android Users via Fake Payment App
AI-generated from multiple sources. Verify before acting on this reporting.
SAO PAULO — Security researchers have received additional corroborating reports confirming the spread of the NGate malware campaign targeting Brazilian Android users. These new reports validate the initial findings regarding the trojanized HandyPay NFC application and its ability to intercept payment data. The malware continues to operate across the region, with victims reporting unauthorized transactions following the installation of the compromised app. Authorities are urging users to remove the application immediately and monitor their financial accounts for suspicious activity. The campaign remains active as of this morning, with no indication that the threat actors have ceased operations. Further analysis suggests the malicious code is being distributed through multiple channels beyond the initial discovery point. Users are advised to download applications only from verified sources and enable two-factor authentication on all financial accounts to mitigate potential losses.
SAO PAULO — Further reports have emerged confirming the spread of the NGate malware campaign targeting Brazilian Android users. Security teams have identified additional instances of the trojanized HandyPay NFC application circulating within the region. The new data indicates a broader distribution of the malicious software than initially assessed. Authorities are now tracking multiple vectors through which the compromised application is reaching end users. The campaign's reach appears to have expanded beyond the initial detection scope, prompting heightened alerts for mobile payment security across the country. Users are advised to exercise extreme caution when downloading financial applications from unofficial sources. The malware continues to pose a significant risk to NFC payment systems, with the potential for unauthorized transactions and ATM withdrawals remaining a primary concern. This development underscores the evolving nature of the threat and the need for continued vigilance among consumers and financial institutions.
SAO PAULO — A new variant of the NGate malware is targeting Android users in Brazil by disguising itself within a trojanized version of the HandyPay NFC application, security researchers confirmed Monday. The malicious software is designed to intercept and steal Near Field Communication (NFC) payment data to facilitate unauthorized purchases and ATM withdrawals.
The campaign, detected on April 21, 2026, marks a significant evolution in the threat actor's tactics. Previous iterations of NGate malware focused primarily on SMS interception and banking credential theft. This latest strain specifically exploits the NFC functionality on mobile devices, allowing attackers to capture sensitive transaction details in real-time as users attempt to make contactless payments.
The threat actors have uploaded the compromised version of the HandyPay app to unofficial app stores and third-party download sites. Once installed, the malware requests extensive permissions, including accessibility services and notification access, which are necessary to overlay fake login screens and capture keystrokes. The trojanized application mimics the legitimate interface of the popular Brazilian payment tool, making it difficult for users to distinguish between the authentic and malicious versions.
Security experts warn that the malware operates silently in the background, waiting for the user to initiate a transaction. When an NFC payment is attempted, the malware intercepts the data packet before it is encrypted and transmitted to the payment processor. This allows the attackers to replicate the transaction or clone the digital wallet credentials for use in other unauthorized activities.
Brazilian financial institutions have been notified of the threat. Banks are advising customers to download applications exclusively from official app stores and to verify the developer information before installation. Mobile network operators are also monitoring for unusual data patterns associated with the malware's command and control servers.
The NGate group has been active for several years, targeting users across Latin America and Europe. This specific campaign against Brazilian users represents a shift toward more sophisticated mobile payment fraud. The attackers appear to be leveraging the increasing adoption of contactless payment methods in the region.
Law enforcement agencies in Brazil are investigating the source of the malware distribution. Authorities have not yet identified the individuals or groups responsible for the campaign. The financial impact of the attack remains unclear as users continue to report compromised accounts.
Cybersecurity firms are working to update detection signatures to block the new variant. Users who have already installed the suspicious application are advised to perform a factory reset of their devices and contact their banks immediately. The situation remains fluid as security teams analyze the full scope of the infection and potential data exfiltration.