New NGate Malware Variant Targets Android Users with NFC Payment Data Theft

The rise of contactless payments has turned smartphones into high‑value targets for cybercriminals. Since its first appearance in mid‑2024, the NGate family has specialized in exploiting the near‑field communication (NFC) chip that powers tap‑to‑pay transactions. Early versions relied on a dedicated tool called NFCGate, but recent research shows attackers are shifting toward legitimate‑looking apps to evade detection and lower operational costs. This strategic pivot underscores a broader trend: malware authors are increasingly piggybacking on trusted mobile‑payment utilities to blend in with everyday user behavior.

The latest NGate variant masquerades as HandyPay, a Google Play application that has been distributing NFC‑enabled payment services since 2021. By injecting malicious code into a trojanized APK, the malware convinces victims to set it as the default NFC payment app, then harvests card numbers, expiration dates and PINs when users tap their physical cards on the phone. The stolen credentials are routed to a hard‑coded attacker email, where they are used to generate virtual cards for fraudulent purchases or cash withdrawals. The campaign, active since November 2025, concentrates on Brazilian Android users through fake lottery sites and bogus card‑protection offers.

Financial institutions and mobile‑OS vendors are responding by tightening app vetting processes and promoting stricter NFC permissions. Android’s Play Protect now flags suspicious NFC‑related behavior, while banks encourage tokenization and one‑time‑use credentials to reduce exposure. Users can further protect themselves by disabling NFC when not needed, installing apps only from verified sources, and keeping security software up to date. As contactless payments continue to expand, the arms race between attackers and defenders will likely intensify, making proactive hygiene essential for both consumers and enterprises.