As the world becomes increasingly reliant on mobile payments, new threats emerge to compromise the security of our financial transactions. One such threat is the NGate malware, a variant of which has been targeting Android users by hiding in a trojanized version of HandyPay, a legitimate mobile payments processing tool. Originally documented in mid-2024, NGate malware steals payment card information through the mobile device’s near-field communication (NFC) chip, using a tool called NFCGate to capture, relay, and replay the payment card information. However, a new variant of this malware has been discovered, which uses a version of the HandyPay app to facilitate data-stealing operations.
The NGate Malware: A Threat to Android Users
NGate malware is a type of Android malware that steals payment card information by abusing the NFC feature on the device. NFC is a technology that enables communication between devices over short distances, typically used for transactions such as contactless payments. However, this feature can also be exploited by malicious actors to steal sensitive information. ESET researchers have discovered that the new variant of NGate malware uses a trojanized version of HandyPay, a legitimate mobile payments processing tool, to steal payment card information.
The HandyPay App: A Gateway for Malware
HandyPay has been available on Google Play since 2021 and supports NFC-based data transmissions between devices. However, the new variant of NGate malware has been injected with malicious code to facilitate data-stealing operations. ESET researchers found that the code in the new NGate malware contains emojis, which may indicate the use of a generative AI tool for development. This is a concerning trend, as it suggests that malware developers are becoming more sophisticated in their methods.
The Cost of Malware Development: A Comparison
One reason behind the move from NFCGate to HandyPay is likely financial. ESET researchers point out that NFC relaying tools like NFU Pay and TX-NFC are expensive, with prices ranging from US$400 to US$500 per month. In contrast, HandyPay is significantly cheaper, asking for only €9.99 per month. Furthermore, HandyPay natively does not require any permissions, only to be made the default payment app, helping the threat actors avoid raising suspicion.
The Campaign: Distribution and Targeting
The campaign using this latest variant of NGate malware has been active since November 2025, targeting primarily Android devices in Brazil. The campaign relies on two distribution methods. One lures users into downloading a fake app called “Proteção Cartão” that promises card protection features and is hosted on a fake Google Play page. The second uses a fake lottery website where visitors “win a prize” and are redirected to WhatsApp to claim it, which eventually leads to downloading the malicious APK.
Stealing Payment Card Information
After installation, the app prompts users to set it as the default NFC payment app, requests their card PIN, and asks them to tap their card on the phone for reading. All the information collected this way is delivered to an attacker’s email address that is hardcoded into the app. This highlights the importance of being cautious when downloading apps from outside the Google Play Store and being aware of the permissions requested by the app.
Protecting Yourself from NGate Malware
Android users are advised to never download APKs from outside Google Play unless they explicitly trust the publisher, disable NFC if not needed, and scan for threats with Play Protect, which detects and blocks the latest NGate malware variant. Additionally, users should be wary of apps that promise unrealistic benefits or ask for sensitive information. It is also essential to keep the Android operating system up to date, as this will ensure that the latest security patches are installed.
Conclusion
The NGate malware is a growing threat to Android users, and the new variant using HandyPay is a concerning development. The use of generative AI in malware development suggests a new level of sophistication, and the ease with which malware developers can now create and distribute malware is alarming. As we continue to rely on mobile payments, it is essential to be aware of the risks and take necessary precautions to protect our financial information.
Recommendations for Android Users
To protect yourself from NGate malware, follow these steps:
- Never download APKs from outside the Google Play Store unless you explicitly trust the publisher.
- Disable NFC if not needed.
- Scan for threats with Play Protect, which detects and blocks the latest NGate malware variant.
- Keep the Android operating system up to date.
- Be wary of apps that promise unrealistic benefits or ask for sensitive information.
- Monitor your account activity regularly for any suspicious transactions.
Conclusion
Mobile payments have made our lives easier, but it’s essential to be aware of the risks associated with them. The NGate malware is a prime example of how malicious actors can exploit our reliance on technology to steal our sensitive information. By being cautious and taking necessary precautions, we can protect ourselves from such threats and ensure the security of our financial transactions.
