An evolved variant of NGate Android malware, active since November 2025, is targeting Android users in Brazil by disguising itself as HandyPay, a legitimate mobile payments application. Victims are lured through fake Google Play storefronts and fraudulent lottery sites into sideloading a malicious APK that relays NFC payment card data to attackers. Organizations with employees or customers in Brazil who use Android devices for mobile payments face direct financial fraud exposure and potential reputational harm if customer accounts are compromised.