A newly identified variant of the NGate Android malware is exploiting a legitimate NFC payment application to pilfer users’ card information and PINs, facilitating unauthorized contactless transactions. This alarming development has been detailed in a report by ESET researchers, who shared their insights with CyberInsider.
Malicious Evolution of NGate
The latest iteration of NGate has replaced its previous tool, NFCGate, with a trojanized version of HandyPay, an authentic Android application designed for NFC payment data transmission. The malicious activity appears to have commenced around November 2025 and continues to pose a threat, with indications pointing to a single entity managing the operation.
In contrast to earlier NGate attacks, this campaign employs more sophisticated social engineering tactics and delivery methods. ESET has identified two primary distribution channels: a fraudulent lottery website masquerading as “Rio de Prêmios” and a counterfeit Google Play page promoting a fictitious “card protection” application. Both routes ultimately lead to the installation of a modified HandyPay app embedded with malicious code.
HandyPay, which has been available on Google Play since 2021, is intended to facilitate the sharing of NFC card data between devices for payment purposes. However, in this malicious context, the app has been altered to covertly capture sensitive information. After installation, the trojanized app prompts users to input their payment card PIN and tap their card against the device. The malware then transmits the NFC data to an attacker-controlled phone while simultaneously exfiltrating the PIN to a command-and-control (C&C) server via HTTP.
Interestingly, ESET’s analysis indicates that the malicious code embedded in HandyPay may have been generated or aided by large language models, evidenced by the presence of emojis in log outputs—a hallmark of AI-generated code.
From a technical standpoint, the malware requires minimal permissions and relies heavily on social engineering tactics rather than exploiting operating system vulnerabilities. Victims are deceived into enabling app installations from unknown sources and designating the app as their default payment service. The NFC relay feature, originally intended for legitimate use, allows attackers to mimic the victim’s card on their own device, enabling cash withdrawals from ATMs.
ESET further highlights that the campaign’s infrastructure is centralized, utilizing the same server for both malware distribution and the collection of stolen PINs. An analysis of the attackers’ backend revealed logs from compromised devices in Brazil, including captured PINs, IP addresses, and timestamps, underscoring the real-world implications of this exploitation.
The transition from utilizing off-the-shelf NFC relaying tools or malware-as-a-service platforms to modifying a legitimate application appears to be driven by financial incentives. Subscription fees for underground NFC tools can soar into the hundreds of dollars monthly, while HandyPay provides comparable functionality at a significantly lower cost, or even free, making it an appealing option for cybercriminals.
To mitigate the risk of infection, users are advised to refrain from installing applications from unofficial sources or links received via SMS or messaging platforms, particularly those promising financial rewards. It is crucial to avoid entering payment card PINs into mobile applications unless their legitimacy is assured, and to disable NFC when not in use. Activating Google Play Protect can also assist in detecting and blocking known threats like NGate.
If you found this information valuable, consider following us on X/Twitter and LinkedIn for more exclusive content.
