Sunday 05 July 2026 01:56:53 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

Security Awareness & Social Engineering

Brazil’s Digital Heist: AI-Engineered Malware Hijacks NFC Payment Apps for ATM Cash-Outs

Published: 21 April 2026 15:04Category: Security Awareness & Social EngineeringGeo: South AmericaAuthor: TRUSTBREAKER

A new wave of AI-powered Android malware is exploiting legitimate payment apps to sweep card data and PINs in Brazil’s booming contactless economy.

It starts with a dream: a text promising a lottery win, a WhatsApp link from a trusted bank, an app that claims to protect your card. But for hundreds of Brazilians, it ends with empty accounts and vanishing cash. Behind this digital sleight of hand is a cunning new variant of the NGate malware, supercharged by artificial intelligence and hidden inside a seemingly legitimate NFC payment app. Its goal? To siphon payment card data and PINs, then cash out at ATMs-before victims know what hit them.

The Anatomy of a Digital Scam

The latest NGate campaign marks a chilling milestone: malware that not only piggybacks on a legitimate app, but leverages AI-generated code to streamline and disguise its theft. Researchers at ESET first spotted the threat lurking in a modified version of HandyPay-a widely used NFC relay app that lets users perform tap-to-pay transactions with their phone.

Here’s how the scam unfolds: attackers obtain a clean copy of HandyPay, inject it with malicious logic (reportedly with the help of generative AI, as evidenced by telltale emoji-laden log strings), and distribute the tampered app via two main channels. The first is a slick fake lottery site, where a rigged scratch card always “awards” a cash prize, then pushes users to WhatsApp to claim it-delivering the malware in the process. The second is a spoofed Google Play page offering a “Proteção Cartão” app, which tricks users into sideloading the infected APK.

Once installed, the trojanized app behaves like the genuine HandyPay, requesting to be set as the default NFC payment app and guiding users through the process of tapping their card. Unbeknownst to them, it intercepts and relays all NFC data-including the PIN-to attacker-controlled infrastructure. The criminals, armed with both live NFC payloads and PINs, can then emulate the victim’s card for in-person ATM withdrawals or high-value purchases, effectively draining accounts in minutes.

AI: The Cybercriminal’s New Accomplice

The emergence of AI-generated malware code is a game-changer. Traditional malware kits for NFC relay attacks are expensive and require technical expertise. By contrast, the NGate operators have weaponized a low-cost, legitimate app-asking only for a modest monthly donation-and used AI tools to patch in their malicious logic. This not only slashes their operating costs but also makes the malware harder to spot: the infected app requests only the permissions the original HandyPay needs, sidestepping the red flags that usually tip off users and security software.

Evidence from compromised devices and attacker logs geolocates the campaign squarely in Brazil, with dozens of victims’ PINs, IP addresses, and timestamps harvested. The attackers’ infrastructure is tightly controlled, routing all stolen data through hard-coded channels.

Android’s built-in defenses (like Play Protect) can block known NGate variants-but only if users avoid sideloading apps from untrusted sources. The lesson: in the age of AI, even the most familiar apps can become Trojan horses.

Conclusion

This NGate campaign signals a dangerous new chapter for cybercrime: AI isn’t just automating attacks-it’s enabling a new generation of low-skill fraudsters to weaponize trusted technology at scale. As the line between legitimate and malicious blurs, vigilance is no longer optional-especially in the hands of those who would turn our most convenient tools against us.

WIKICROOK

  • NFC (Near: NFC is a wireless technology that lets devices securely exchange data when held close together, commonly used for contactless payments and access cards.
  • Trojanized App: A Trojanized app is a legitimate-looking application secretly modified to include malware, tricking users into installing harmful software on their devices.
  • Generative AI: Generative AI is artificial intelligence that creates new content-like text, images, or audio-often mimicking human creativity and style.
  • Sideloading: Sideloading is installing apps or software from outside official app stores, often skipping standard security checks and increasing potential risks.
  • Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.