NGate Android malware uses HandyPay NFC app to steal card data

Summary

A new variant of NGate malware is targeting Android users in Brazil by embedding itself in a trojanized version of HandyPay, a legitimate NFC-based mobile payment app. The malware steals payment card information via NFC and exfiltrates it to attacker-controlled email addresses. The shift from using NFCGate to HandyPay appears motivated by lower costs and reduced device visibility, with distribution via fake app stores and lottery phishing schemes.

Full text

NGate Android malware uses HandyPay NFC app to steal card data By Bill Toulas April 21, 2026 05:00 AM 0 A new variant of the NGate malware that steals NFC payment data is targeting Android users by hiding in a trojanized version of HandyPay, a legitimate mobile payments processing tool. NGate was originally documented in mid-2024 and steals payment card information through the mobile device's near-field communication (NFC) chip. The data is sent to the attacker, who create virtual cards used for unauthorized purchases or withdrawing cash from ATMs with NFC support. In the earlier versions, the malware used an open-source tool called NFCGate to capture, relay, and replay the payment card information. New research from ESET details a new variant that uses a version of the HandyPay app, which has been injected with malicious code to facilitate data-stealing operations. The researchers found that code in the new NGate malware contains emojis, which may indicate the use of a generative AI tool for development. Malicious code snippetSource: ESET HandyPay has been available on Google Play since 2021 and supports NFC-based data transmissions between devices, a feature that NGate abuses to exfiltrate the card information. ESET believes the reason behind moving from NFCGate to HandyPay is likely financial, but evasion also plays a key role. The researchers underline the high cost of NFC relaying tools such as NFU Pay and TX-NFC, and the fact that these are “noisy” on infected devices. “NFU Pay advertises its product for almost US$400 per month, while TX-NFC goes for around US$500 per month. HandyPay, on the other hand, is significantly cheaper, only asking for the €9.99 per month donation, if even that,” ESET explains. “In addition to the price, HandyPay natively does not require any permissions, only to be made the default payment app, helping the threat actors avoid raising suspicion.” In terms of targeting, ESET reports that the campaign using this latest variant has been active since November 2025, targeting primarily Android devices in Brazil. The campaign relies on two distribution methods. One lures users into downloading a fake app called “Proteção Cartão” that promises card protection features and is hosted on a fake Google Play page. The second uses a fake lottery website where visitors “win a prize” and are redirected to WhatsApp to claim it, which eventually leads to downloading the malicious APK. Malware distribution methodsSource: ESET After installation, the app prompts users to set it as the default NFC payment app, requests their card PIN, and asks them to tap their card on the phone for reading. All the information collected this way is delivered to an attacker's email address that is hardcoded into the app. Data theft flowSource: ESET Android users are advised to never download APKs from outside Google Play unless they explicitly trust the publisher, disable NFC if not needed, and scan for threats with Play Protect, which detects and blocks the latest NGate malware variant. 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot Related Articles: Hackers use pixel-large SVG trick to hide credit card stealer'NoVoice' Android malware on Google Play infected 2.3 million devicesNew CrystalRAT malware adds RAT, stealer and prankware featuresNew Torg Grabber infostealer malware targets 728 crypto walletsGoogle adds ‘Advanced Flow’ for safe APK sideloading on Android

Indicators of Compromise

• malware — NGate
• malware — Proteção Cartão

Entities