A new variant of the NGate malware that steals NFC payment data is targeting Android users by hiding in a trojanized version of HandyPay, a legitimate mobile payments processing tool.
NGate was originally documented in mid-2024 and steals payment card information through the mobile device’s near-field communication (NFC) chip.
The data is sent to the attacker, who create virtual cards used for unauthorized purchases or withdrawing cash from ATMs with NFC support.
In the earlier versions, the malware used an open-source tool called NFCGate to capture, relay, and replay the payment card information.
New research from ESET details a new variant that uses a version of the HandyPay app, which has been injected with malicious code to facilitate data-stealing operations.
The researchers found that code in the new NGate malware contains emojis, which may indicate the use of a generative AI tool for development.
Source: ESET
HandyPay has been available on Google Play since 2021 and supports NFC-based data transmissions between devices, a feature that NGate abuses to exfiltrate the card information.
ESET believes the reason behind moving from NFCGate to HandyPay is likely financial, but evasion also plays a key role. The researchers underline the high cost of NFC relaying tools such as NFU Pay and TX-NFC, and the fact that these are “noisy” on infected devices.
“NFU Pay advertises its product for almost US$400 per month, while TX-NFC goes for around US$500 per month. HandyPay, on the other hand, is significantly cheaper, only asking for the €9.99 per month donation, if even that,” ESET explains.
“In addition to the price, HandyPay natively does not require any permissions, only to be made the default payment app, helping the threat actors avoid raising suspicion.”
In terms of targeting, ESET reports that the campaign using this latest variant has been active since November 2025, targeting primarily Android devices in Brazil.
The campaign relies on two distribution methods. One lures users into downloading a fake app called “Proteção Cartão” that promises card protection features and is hosted on a fake Google Play page.
The second uses a fake lottery website where visitors “win a prize” and are redirected to WhatsApp to claim it, which eventually leads to downloading the malicious APK.
Source: ESET
After installation, the app prompts users to set it as the default NFC payment app, requests their card PIN, and asks them to tap their card on the phone for reading.
All the information collected this way is delivered to an attacker’s email address that is hardcoded into the app.
.jpg)
Source: ESET
Android users are advised to never download APKs from outside Google Play unless they explicitly trust the publisher, disable NFC if not needed, and scan for threats with Play Protect, which detects and blocks the latest NGate malware variant.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
