NGate Malware Hijacks NFC Payments on Android to Steal Card Data

A newly discovered variant of the NGate Android malware is targeting users by disguising itself as a modified version of the legitimate HandyPay NFC payment app. This malware is designed to steal sensitive payment card data using the device’s NFC (near-field communication) capability.

NGate was first identified in mid-2024 as a threat capable of capturing payment card information directly from smartphones. It works by intercepting NFC communication when a user taps their card on the device. The stolen data is then transmitted to attackers, who can create virtual copies of the cards and use them for unauthorized purchases or even withdraw money from NFC-enabled ATMs.

Earlier versions of NGate relied on an open-source tool called NFCGate to capture and relay card data. However, recent research by cybersecurity firm ESET reveals that attackers have shifted to using a modified HandyPay app. This new approach involves injecting malicious code into the app, allowing it to secretly collect and transmit sensitive information.

One notable detail in the malware’s code is the presence of emojis, which researchers believe may suggest the use of generative AI tools during its development.

HandyPay itself has been available on the Google Play Store since 2021 and is designed to facilitate NFC-based data transfers between devices. The malware abuses this legitimate functionality to extract card data without raising suspicion.

The switch from NFCGate to HandyPay appears to be driven by both cost and stealth. Commercial NFC relay tools like NFU Pay and TX-NFC can cost hundreds of dollars per month and are more likely to trigger alerts on infected devices. In contrast, HandyPay is much cheaper, requiring only a small monthly donation, and does not request special permissions beyond being set as the default payment app—making it less suspicious.

According to ESET, this new campaign has been active since November 2025, mainly targeting Android users in Brazil.

The attackers are distributing the malware through two primary methods:

• A fake app named “Proteção Cartão,” which claims to offer card protection services and is hosted on a counterfeit Google Play page.
• A fraudulent lottery website that tricks users into believing they’ve won a prize. Victims are redirected to WhatsApp to claim the reward, where they are eventually prompted to download the malicious app.

Once installed, the app asks users to:

• Set it as the default NFC payment application
• Enter their card PIN
• Tap their card on the phone for scanning

All collected data is then sent to an attacker-controlled email address embedded within the app.

To stay safe, Android users should avoid downloading APK files from untrusted sources, disable NFC when not in use, and rely on built-in security tools like Play Protect, which can detect and block this malware variant.