New NGate malware variant targets Android users with NFC payment data theft

A new variant of the NGate malware is targeting Android users by impersonating a legitimate mobile payment tool, HandyPay, to steal near-field communication (NFC) payment data. This malware, originally identified in mid-2024, exploits the NFC chip on mobile devices to capture payment card information. The stolen data is then transmitted to attackers who can create virtual cards for fraudulent purchases or cash withdrawals, as reported by Bleeping Computer.The latest NGate variant injects malicious code into a trojanized version of HandyPay, a Google Play app available since 2021 that facilitates NFC data transmissions. ESET researchers suggest this shift from the previous reliance on NFCGate is driven by cost and evasion, as HandyPay requires minimal permissions and is significantly cheaper than dedicated NFC relaying tools. The campaign, active since November 2025, primarily targets Android devices in Brazil through fake app downloads promising card protection or fake lottery websites. After installation, the malware prompts users to set it as the default NFC payment app, requests card PINs, and instructs them to tap their card on the phone, exfiltrating all collected data to a hardcoded attacker email address.This NGate variant highlights the evolving threat landscape for mobile payment security, particularly concerning NFC technology. Android users are advised to exercise extreme caution, avoid downloading APKs from untrusted sources, disable NFC when not in use, and ensure security software like Play Protect is enabled.Source:Bleeping Computer