top of page
perceptive_background_267k.jpg

NGate Android malware uses HandyPay NFC app to steal card data

Published:

21 April 2026 at 09:00:00

Alert date:

21 April 2026 at 10:01:02

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Mobile & IoT, Ransomware & Malware, Data Breach & Exfiltration

A new variant of NGate malware targets Android users by hiding in a trojanized version of HandyPay, a legitimate mobile payments processing tool. The malware steals NFC payment data from infected devices. This represents an active threat to mobile payment security, particularly targeting users of legitimate payment applications. The attack demonstrates sophisticated social engineering by disguising malware within trusted financial applications.

Technical details

NGate malware steals NFC payment data through Android devices' near-field communication chips. The new variant uses a trojanized version of HandyPay app injected with malicious code. The malware prompts users to set it as the default NFC payment app, requests card PIN, and asks users to tap their card on the phone for reading. All collected information is delivered to an attacker's hardcoded email address. The malware code contains emojis which may indicate use of generative AI tools for development. Campaign has been active since November 2025, primarily targeting Android devices in Brazil.

Mitigation steps:

Never download APKs from outside Google Play unless you explicitly trust the publisher, disable NFC if not needed, scan for threats with Play Protect which detects and blocks the latest NGate malware variant, avoid setting unknown apps as default payment applications

Affected products:

Android devices
HandyPay NFC payment app
NFCGate open-source tool

Related links:

https://github.com/nfcgate/nfcgate
https://www.welivesecurity.com/en/eset-research/new-ngate-variant-hides-in-a-trojanized-nfc-payment-app/

Related CVE's:

Related threat actors:

IOC's:

Fake app called 'Proteção Cartão', Fake Google Play pages, Fake lottery websites, Trojanized HandyPay APK files, Hardcoded attacker email addresses in malicious apps

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page