A new variant of the NGate malware is targeting Android users by disguising itself within a trojanized version of HandyPay, a legitimate mobile payments tool. The malware is designed to steal payment card data through near-field communication (NFC), raising fresh concerns around mobile payment security.
First identified in mid-2024, NGate captures card information using a device’s NFC chip. The stolen data is then sent to attackers, who create virtual cards to carry out unauthorized purchases or withdraw cash from NFC-enabled ATMs. Earlier versions relied on the open-source NFCGate tool to capture and relay card data.
New research from ESET highlights a shift in tactics. The latest variant uses a modified version of HandyPay injected with malicious code to enable data theft. Researchers also found emojis embedded in the malware code, suggesting the possible use of generative AI in its development.
HandyPay, available on Google Play since 2021, supports NFC-based data transfers between devices. NGate exploits this functionality to extract sensitive card information. According to ESET, attackers likely moved from NFCGate to HandyPay due to lower costs and better evasion. Tools like NFU Pay and TX-NFC can cost between $400 and $500 per month and are more detectable, while HandyPay requires only a €9.99 monthly donation, if at all.
Another advantage is that HandyPay does not require permissions by default and only needs to be set as the default payment app, helping attackers avoid suspicion.
ESET reports that this campaign has been active since November 2025, primarily targeting Android users in Brazil. The malware spreads through 2 main methods: a fake app called “Proteção Cartão” hosted on a counterfeit Google Play page, and a fake lottery website that redirects users to WhatsApp to claim a prize, eventually leading to the malicious download.
Once installed, the app asks users to set it as the default NFC payment app, enter their card PIN, and tap their card on the phone. The collected data is then sent to an attacker-controlled email address embedded in the app.
Users are advised to avoid downloading APKs from untrusted sources, disable NFC when not in use, and use Play Protect to detect and block threats.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
