NGate Android malware swaps NFCGate for trojanized HandyPay to siphon NFC card data

A fresh NGate variant tracked by ESET is hijacking HandyPay, a legitimate Android NFC payment processor on Google Play since 2021, to capture card data the moment a victim taps their card to the phone. The trojanized build inherits HandyPay’s native NFC transmission capability, requires no extra permissions beyond being set as the default payment app, and ships card data plus PINs to a hardcoded attacker email. Stolen credentials are converted into virtual cards for purchases or NFC-enabled ATM withdrawals.

The shift away from the previously favored NFCGate toolkit is largely an economics play. Commercial NFC relay kits like NFU Pay and TX-NFC run $400–$500 per month and trip user suspicion with noisy permission prompts, while a HandyPay-based implant costs roughly €9.99 per month and stays quiet on the device. ESET also notes emoji-laden code in the variant, hinting that generative AI assisted development.

The campaign has been active since November 2025 and is concentrated on Brazilian Android users. Distribution leans on social engineering: a fake “Proteção Cartão” app hosted on a spoofed Google Play page, and a bogus lottery site that funnels “winners” through WhatsApp to a malicious APK. Play Protect now flags the variant, and ESET’s standard guidance applies — avoid sideloading APKs and keep NFC off when it isn’t in use.