CP
cyberpings

NGate NFC Malware - Targets Android Users via Trojanized HandyPay App

A new variant of the NGate malware is exploiting a trojanized version of the HandyPay app to steal NFC payment data from Android users in Brazil. This campaign has been active since November 2025 and utilizes deceptive distribution methods to lure victims.

Malware & RansomwareHIGHUpdated: Published: πŸ“° 2 sources
Featured image for NGate NFC Malware - Targets Android Users via Trojanized HandyPay App

Original Reporting

HNHelp Net SecurityΒ·Mirko Zorz

AI Summary

CyberPings AIΒ·Reviewed by Rohit Rana

🎯There's a new type of malware called NGate that hides in a fake version of a payment app called HandyPay. It tricks people into downloading it and then steals their credit card information when they try to use it. It's been targeting people in Brazil since late 2025, using fake lottery websites and other tricks to get users to install it.

How It Works

The NGate malware family has evolved to target Android users by embedding malicious code in a trojanized version of the HandyPay app, which is a legitimate NFC payment processing tool available on Google Play since 2021. This new variant captures payment card information through the device's NFC chip and sends it to attackers, who can then create virtual cards for unauthorized purchases or ATM withdrawals.

Who's Being Targeted

The ongoing campaign, identified by ESET Research, primarily targets Android users in Brazil. The malware has been active since November 2025, leveraging the popularity of NFC transactions to exploit unsuspecting users.

Distribution Methods

The campaign employs two main distribution vectors:

  1. Fake Lottery Website: Users are drawn to a fraudulent lottery site where they are promised a prize of R$20,000. To claim the prize, users are redirected to WhatsApp, ultimately leading them to download the trojanized HandyPay APK.
  2. Fake Google Play Page: The malware is also distributed via a counterfeit Google Play page under the name "Proteção Cartão" (Card Protection), enticing users to download the APK after bypassing Android's sideloading warnings.

Signs of Infection

Once installed, the trojanized HandyPay app prompts users to set it as their default NFC payment app. It then requests their payment card PIN and instructs them to tap their card against the device. The malware relays this information to an attacker-controlled email address, enabling unauthorized transactions.

Technical Insights

ESET researchers noted that the malicious code includes emojis in the log strings, suggesting the potential use of generative AI tools in its development. This aligns with a growing trend where cybercriminals leverage AI to produce sophisticated malware without extensive programming knowledge.

How to Protect Yourself

Android users are advised to:

Detection

  • 1.Avoid downloading APKs from outside the Google Play Store unless they trust the publisher.
  • 2.Disable NFC functionality when not in use.

Conclusion

The NGate malware campaign highlights the increasing sophistication of cyber threats targeting mobile payment systems. Users must remain vigilant and adopt best practices to safeguard their financial information.

πŸ”’ Pro Insight

The NGate malware's evolution reflects a shift towards more financially motivated cybercrime, utilizing cost-effective methods to evade detection while targeting vulnerable users in the mobile payment ecosystem.

Share

Related Pings

Preview image for BlackCat Ransomware - Former Negotiator Pleads Guilty
Malware & Ransomware
HIGH

BlackCat Ransomware - Former Negotiator Pleads Guilty

Angelo Martino, a former ransomware negotiator, has pleaded guilty for his role in BlackCat attacks. His actions impacted several U.S. companies, highlighting the ongoing threat of ransomware extortion. As ransomware tactics evolve, vigilance is crucial for organizations.

BCBleepingComputer
Read PingRead Source
Preview image for StealTok Malware - TikTok Downloader Extensions Compromised
Malware & Ransomware
HIGH

StealTok Malware - TikTok Downloader Extensions Compromised

A new malware campaign, StealTok, has compromised 130,000 users via fake TikTok downloader extensions. These malicious tools harvest sensitive data. Users are urged to remove these extensions immediately and secure their accounts.

CSCyber Security News
Read PingRead Source
Malware & Ransomware
HIGH

.WAV File - New Malware Delivery Method Discovered

Threat actors are now using .wav files to deliver malware. This new tactic puts users at risk. Stay aware and protect your systems from these threats.

SISANS ISC Full Text+1 more
Read PingRead Source
Preview image for Trojanized TestDisk Installer - Illicit ScreenConnect Deployment
Malware & Ransomware
HIGH

Trojanized TestDisk Installer - Illicit ScreenConnect Deployment

A trojanized TestDisk installer is being used to deploy ScreenConnect, allowing attackers remote access. This poses a significant risk of data theft and unauthorized control. Stay vigilant against such threats.

SCSC Media
Read PingRead Source
Preview image for Gh0st RAT and CloverPlus Adware - New Dual-Payload Malware
Malware & Ransomware
HIGH

Gh0st RAT and CloverPlus Adware - New Dual-Payload Malware

A new malware campaign is delivering both Gh0st RAT and CloverPlus adware simultaneously. This dual threat allows attackers to control systems and generate revenue. Security teams must enhance their defenses against this evolving threat.

CSCyber Security News
Read PingRead Source
Preview image for FUD Crypt - Hackers Generate Microsoft-Signed Malware
Malware & Ransomware
HIGH

FUD Crypt - Hackers Generate Microsoft-Signed Malware

FUD Crypt is a new malware-as-a-service that allows hackers to create Microsoft-signed malware easily. This poses a significant risk as it can bypass security measures. Cybersecurity teams must remain vigilant against these sophisticated threats.

CSCyber Security News
Read PingRead Source