Originally documented in mid-2024, **NGate** is designed to pilfer payment card information through a mobile device's near-field communication (NFC) capabilities. The stolen data is then transmitted to attackers, who use it to create virtual cards for unauthorized purchases or to withdraw cash from NFC-enabled ATMs. ### Evolution of NGate Early versions of the malware leveraged the open-source tool **NFCGate** to capture, relay, and replay payment card information. However, new research from **ESET** has uncovered a variant that infects users through a malicious version of the **HandyPay** app. **HandyPay** has been available on Google Play since 2021 and supports NFC-based data transmissions between devices. This functionality is abused by **NGate** to exfiltrate sensitive card information.  _Source: ESET_ **ESET** suggests that the shift from **NFCGate** to **HandyPay** is driven by financial considerations and evasion tactics. NFC relaying tools like NFU Pay and TX-NFC are costly and generate considerable noise on infected devices. "NFU Pay advertises its product for almost US$400 per month, while TX-NFC goes for around US$500 per month. HandyPay, on the other hand, is significantly cheaper, only asking for the €9.99 per month donation, if even that,” **ESET** explained. "In addition to the price, HandyPay natively does not require any permissions, only to be made the default payment app, helping the threat actors avoid raising suspicion." ### Targeting and Distribution Since November 2025, this latest **NGate** variant has primarily targeted Android devices in Brazil. The distribution methods include: * **Fake App:** Luring users to download a fake app called “Proteção Cartão” (Card Protection) hosted on a counterfeit Google Play page. * **Fake Lottery:** Directing users through a fake lottery website, where they are prompted to claim a prize via WhatsApp, ultimately leading to the download of the malicious APK.  _Source: ESET_ Once installed, the malicious app requests to be set as the default NFC payment application, prompts users for their card PIN, and asks them to tap their card on the phone for reading. The collected data is then sent to an attacker-controlled email address hardcoded into the app. .jpg) _Source: ESET_ ### Recommendations Android users are advised to: * Avoid downloading APKs from untrusted sources outside of Google Play. * Disable NFC when not in use. * Utilize Play Protect to scan for threats; it can detect and block the latest **NGate** malware variant.