New NGate variant hides in a trojanized NFC payment app

ESET Research identified an active NGate campaign that trojanized the HandyPay Android NFC relay app to capture and relay victims' payment card data and PINs for contactless ATM cash-outs and unauthorized payments in Brazil; distribution used a fake Rio de Prêmios lottery site and a fake Google Play page, with IoCs (sample hashes, domain protecaocartao.online, C2 IP 108.165.230.223) published and analysis of tactics and likely GenAI-assisted code changes included.