Rupert Marais has spent years on the front lines of mobile security, witnessing the constant evolution of how threat actors infiltrate the devices we trust most. As an expert in endpoint protection and network management, he has observed a sophisticated shift in tactics, moving away from obvious viruses toward the subtle subversion of legitimate tools. In this conversation, we explore the recent NGate campaign that has surfaced in Brazil, where attackers are leveraging trojanized versions of the HandyPay application to siphon financial data. We dive into the psychology of social engineering, the technical nuances of NFC relay attacks, and the unsettling role that generative artificial intelligence is beginning to play in the development of modern malware.
Malware campaigns are shifting from specialized tools toward trojanizing legitimate applications like HandyPay. Why is this transition occurring, and how does an app that only requests “default payment” status help attackers bypass mobile security filters that typically look for excessive permissions?
The shift toward trojanizing apps like HandyPay is a strategic move to blend into the noise of a user’s daily digital life. When a piece of malware asks for twenty different permissions, from your microphone to your contacts, it triggers every alarm bell in a modern security suite. However, by taking an existing application that already possesses NFC relay functionality, attackers can maintain a very low profile. HandyPay is particularly dangerous in this context because it natively requires almost no traditional permissions; it simply asks the user to set it as the default payment application. This single request feels perfectly logical to a victim who thinks they are setting up a financial tool, allowing the attacker to bypass the heuristic filters that usually flag suspicious behavior.
Threat actors in Brazil are using lottery-themed websites and fake “card protection” listings to distribute malicious payloads. What specific social engineering triggers make these lures effective for stealing financial data, and what steps should security teams take to disrupt these fraudulent distribution chains?
In Brazil, the attackers have cleverly tapped into local culture by masquerading as the Rio de Prêmios, a popular state-run lottery. They use a high-pressure social engineering trigger by telling users they have won a prize but must first click a button to send a WhatsApp message to claim it. This move to a private messaging platform creates a false sense of intimacy and legitimacy, which eventually leads the victim to download the poisoned version of HandyPay. To disrupt these chains, security teams need to focus on proactive brand monitoring and the rapid takedown of these fraudulent domains. We also need to see more aggressive “sinkholing” of the command-and-control servers that these campaigns have been using since they first ramped up operations around November 2025.
When a victim enters a PIN and taps their card against a compromised smartphone, the NFC data is relayed for immediate ATM withdrawals. Can you explain the technical hurdles of this relay process and describe the infrastructure needed to maintain a stable connection between the victim and the attacker’s device?
The technical challenge of an NFC relay attack lies in the strict timing requirements of the transaction; if the data takes too long to travel from the victim’s card to the attacker’s device at an ATM, the transaction will time out. The NGate malware overcomes this by capturing the payment card PIN directly through the trojanized interface and then exfiltrating that data to a central command-and-control server. Simultaneously, it creates a bridge that streams the NFC radio data in real-time to the attacker’s smartphone. The attacker is essentially standing at an ATM, holding their phone to the reader, while the victim’s card data is being “beamed” to them over the internet. It requires a robust, low-latency infrastructure to ensure the connection doesn’t drop during those critical seconds of communication between the card and the bank’s terminal.
Recent analysis of malicious artifacts has revealed the presence of emojis in debug messages, suggesting the use of large language models for code generation. How does generative AI lower the barrier for entry for cybercriminals, and what unique indicators should analysts look for in AI-assisted malware?
The discovery of emojis within debug and toast messages is a fascinating “tell” that strongly suggests these developers are using large language models to help write or modify their code. Generative AI significantly lowers the barrier for entry because an individual with very little technical expertise can now ask a chatbot to help them patch a legitimate APK with malicious hooks. For analysts, this means we are seeing a shift in the “fingerprints” left behind in the code; instead of the rigid, professional structure of a seasoned developer, we see these odd, human-like flourishes or syntactical quirks common to AI outputs. We are entering an era where the speed of malware iteration will outpace traditional signature-based detection, making behavioral analysis more critical than ever.
Some independent operators are choosing to patch existing apps rather than paying over $400 monthly for Malware-as-a-Service subscriptions. How does this cost-saving motive influence the variety of threats we see in the wild, and what metrics can be used to track the economic viability of these campaigns?
The decision to move away from turnkey Malware-as-a-Service (MaaS) solutions, which often cost north of $400 per month, tells us that threat actors are becoming more budget-conscious and self-reliant. By trojanizing an app like HandyPay themselves, they eliminate the monthly overhead and gain more control over the specific features of the payload. This cost-saving motive leads to a much wider variety of “fragmented” threats in the wild, as different groups create their own custom variants of the same core exploit. To track the economic viability of these campaigns, we monitor the lifespan of their distribution sites and the frequency of their C2 server migrations. If a campaign is profitable, we see them reinvesting in more sophisticated lures or expanding into new geographic regions beyond their initial targets.
What is your forecast for the evolution of NFC-based fraud and relay attacks over the next year?
I expect NFC-based fraud to become one of the most significant mobile threats in the coming year as more attackers transition from stealing credentials to stealing the physical “handshake” of a transaction. We are already seeing a rise in the sophistication of these relay attacks, and as AI tools become even more adept at generating malicious code, the “NGate” style of attack will likely become a standardized template for cybercriminals globally. My forecast is that we will see a surge in “hybrid” attacks where social engineering via platforms like WhatsApp is paired with these high-tech NFC intercepts. To stay safe, readers should never set an unfamiliar application as their default payment provider and should remain extremely skeptical of any “prize” that requires downloading an app outside of the official Google Play Store.
