A new variant of the NGate malware is targeting Android users by disguising itself within a trojanized version of HandyPay, a legitimate mobile payment processing application. The malware is designed to steal sensitive payment card data via near-field communication (NFC), enabling attackers to create virtual cards for unauthorized transactions and ATM withdrawals.

NGate first emerged in mid-2024 as a sophisticated threat capable of intercepting NFC-based payment data directly from infected devices. In its earlier versions, the malware relied on an open-source tool called NFCGate to capture and relay card information. However, the latest variant marks a significant evolution, leveraging a modified version of HandyPay to carry out its operations more stealthily and cost-effectively.

By embedding malicious code into HandyPay, attackers are able to exploit the app’s native NFC functionality to exfiltrate payment data without raising immediate suspicion. Unlike traditional NFC relay tools, which often require extensive permissions and can be easily detected, HandyPay operates with minimal requirements – only needing to be set as the default payment application. This allows the malware to blend seamlessly into normal device activity.

The shift to HandyPay also reflects a strategic move by threat actors to reduce operational costs while improving evasion techniques. Commercial NFC relay tools can cost hundreds of dollars per month, whereas HandyPay operates on a significantly lower-cost model. This affordability, combined with its low detection footprint, makes it an attractive option for cybercriminals seeking scalable attack methods.

Once installed, the malicious app prompts users to grant it default NFC payment access, enter their card PIN, and physically tap their payment card against the device. The stolen data is then transmitted directly to the attacker, enabling immediate exploitation. This method highlights a growing trend in cybercrime, where social engineering is combined with advanced mobile malware to bypass traditional security controls.

The campaign distributing this NGate variant has been active since November 2025, primarily targeting Android users in Brazil. Attackers are using deceptive distribution techniques, including fake applications and fraudulent promotional schemes, to trick users into installing the malware. These tactics are designed to create a false sense of trust while guiding victims through the installation process.

The emergence of this new NGate variant underscores the increasing sophistication of mobile financial threats and the vulnerabilities associated with NFC-based payment systems. As digital payments continue to grow, cybercriminals are adapting their methods to exploit trusted applications and user behavior.

Security experts advise Android users to avoid downloading applications from untrusted sources, carefully review app permissions, and disable NFC functionality when not in use. Additionally, built-in security tools such as Google Play Protect can help detect and block malicious applications, providing an added layer of defense against evolving threats like NGate.

This development highlights the urgent need for stronger mobile security practices and greater awareness among users, as attackers continue to refine their techniques to target financial data in increasingly subtle and effective ways.

Recommended Cyber Technology News :

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com