A new variant of the NGate malware has emerged, specifically targeting Android users by disguising itself within a trojanized version of HandyPay, a legitimate mobile payment processing application. Originally documented in mid-2024, NGate is designed to siphon payment card information through the mobile device’s near-field communication (NFC) chip.
The stolen data is sent directly to the attacker, who then creates virtual cards for unauthorized purchases or cash withdrawals from NFC-enabled ATMs.
Evolution of the Malware
Previous iterations of NGate utilized an open-source tool named NFCGate to capture, relay, and replay payment card data. However, recent research conducted by ESET reveals a new variant that has been injected with malicious code into the HandyPay app, facilitating its data-stealing operations.
Interestingly, the code within this new NGate variant incorporates emojis, suggesting that a generative AI tool may have been employed in its development.
Source: ESET
HandyPay has been available on Google Play since 2021, enabling NFC-based data transmissions between devices—a feature that NGate exploits to exfiltrate sensitive card information. ESET posits that the shift from NFCGate to HandyPay is likely motivated by financial considerations, alongside the need for evasion. The researchers highlight the steep costs associated with NFC relaying tools like NFU Pay and TX-NFC, which can reach up to US0 per month. In contrast, HandyPay is significantly more affordable, requiring only a €9.99 monthly donation, if even that.
Moreover, HandyPay’s design does not necessitate extensive permissions beyond being set as the default payment app, allowing threat actors to operate with reduced suspicion.
Targeting and Distribution Methods
According to ESET, this latest NGate variant has been active since November 2025, primarily targeting Android devices in Brazil. The campaign employs two main distribution strategies. The first involves enticing users to download a counterfeit app named “Proteção Cartão,” which claims to offer card protection features and is hosted on a fraudulent Google Play page.
The second method utilizes a fake lottery website, where visitors are led to believe they have “won a prize” and are subsequently redirected to WhatsApp to claim it, ultimately resulting in the download of the malicious APK.
Source: ESET
Upon installation, the app prompts users to set it as their default NFC payment application, requests their card PIN, and instructs them to tap their card on the phone for reading. All collected information is then transmitted to an attacker’s email address embedded within the app.
Source: ESET
To safeguard against such threats, Android users are advised to refrain from downloading APKs from sources outside of Google Play unless they have explicit trust in the publisher. Additionally, disabling NFC when not in use and utilizing Play Protect to scan for threats can help detect and block the latest NGate malware variant.
