NGate Android malware uses HandyPay NFC app to steal card data

Published:

21 april 2026 om 09:00:00

Alert date:

21 april 2026 om 10:01:02

Source:

bleepingcomputer.com

Mobile & IoT, Ransomware & Malware, Data Breach & Exfiltration

A new variant of NGate malware targets Android users by hiding in a trojanized version of HandyPay, a legitimate mobile payments processing tool. The malware steals NFC payment data from infected devices. This represents an active threat to mobile payment security, particularly targeting users of legitimate payment applications. The attack demonstrates sophisticated social engineering by disguising malware within trusted financial applications.

Technical details

NGate malware steals NFC payment data through Android devices' near-field communication chips. The new variant uses a trojanized version of HandyPay app injected with malicious code. The malware prompts users to set it as the default NFC payment app, requests card PIN, and asks users to tap their card on the phone for reading. All collected information is delivered to an attacker's hardcoded email address. The malware code contains emojis which may indicate use of generative AI tools for development. Campaign has been active since November 2025, primarily targeting Android devices in Brazil.

Mitigation steps:

Never download APKs from outside Google Play unless you explicitly trust the publisher, disable NFC if not needed, scan for threats with Play Protect which detects and blocks the latest NGate malware variant, avoid setting unknown apps as default payment applications

Affected products:

Android devices
HandyPay NFC payment app
NFCGate open-source tool