A new NGate malware variant targeting Android users in Brazil hides inside a trojanized version of HandyPay, a legitimate NFC payment app. Once installed, it tricks users into setting it as the default NFC payment app, captures card PINs and NFC card data, and exfiltrates everything to an attacker-controlled email. ESET researchers note the shift from the open-source NFCGate tool to HandyPay is driven by cost savings and better evasion, as HandyPay requires minimal permissions. The campaign has been active since November 2025, spreading via fake Google Play pages and fraudulent lottery websites. Users are advised to avoid sideloading APKs, disable NFC when unused, and use Play Protect.
Table of contents
Related Articles:Sort: