Android Malware NGate Exploits HandyPay App for Card Data Theft

Post Views: 8

Android Users Targeted by New Variant of NGate Malware

A new variant of the NGate malware has been discovered, targeting Android users by disguising itself within a trojanized version of HandyPay, a legitimate mobile payments processing tool.

The Malware Exploits NFC Chip to Extract Sensitive Payment Information

The malware, initially identified in 2024, exploits the mobile device’s near-field communication (NFC) chip to extract sensitive payment card information, which is then transmitted to attackers who can utilize the stolen data to make unauthorized transactions or withdraw cash from ATMs equipped with NFC capabilities.

New Variant Utilizes HandyPay to Abuse Payment Functionality

The newly discovered variant utilizes HandyPay, an app available on Google Play since 2021, which enables NFC-based data exchanges between devices. This approach allows the malware to abuse the payment functionality to siphon off card information without arousing suspicion due to the lack of permission requirements and the ability to function as the default payment application.

According to researchers at ESET, “the shift from using an open-source tool called NFCGate to HandyPay is believed to be driven by financial considerations, including the lower costs associated with HandyPay compared to other NFC relaying tools.”

For instance, NFU Pay and TX-NFC are priced at nearly $400 and $500 per month respectively, whereas HandyPay requires just a monthly donation of $9.99.

Campaign Active Since November 2025, Primarily Targeting Android Devices in Brazil

The campaign utilizing this variant has been active since November 2025, primarily targeting Android devices in Brazil. The attackers employ two distribution methods: one involves luring users into installing the malware through a fake update prompt, while the other uses a fake lottery website that redirects victims to the download page after they claim their supposed winnings.

Users Advised to Exercise Caution When Installing Apps

Upon installation, the app prompts users to designate it as the default NFC payment application, request their card PIN, and ask them to tap their card on the phone for reading. The extracted information is then transmitted to an attacker-controlled address hardcoded into the application.

As a result, Android users are advised to exercise extreme caution when prompted to install or update apps, especially those related to payments or NFC functionality. Additionally, ensuring the use of robust antivirus software and keeping the operating system up-to-date with the latest security patches is crucial in mitigating the risks posed by such threats.