A new version of the NGate Android malware has recently been discovered, and it is more dangerous than earlier ones. This time, attackers are using a modified version of a real app called HandyPay. The goal of this malware is to steal users’ card details along with their PINs. Since HandyPay is originally a legitimate NFC payment app, it becomes easier for attackers to fool people. This makes the malware look more real and trustworthy to users.

In this attack, cybercriminals take the original HandyPay app and secretly inject harmful code into it. Once a user installs this infected app, it starts behaving like a normal payment tool. It may ask the user to enter their card PIN for verification purposes. The app also asks users to tap their debit or credit card on the phone using NFC. While everything seems normal, the app is actually collecting sensitive data in the background.

After collecting the card details and PIN, the malware sends all this information to the attackers. With this stolen data, attackers can create virtual copies of the victim’s card. These copies can then be used for contactless payments without the real card. In some cases, attackers can even withdraw money from ATMs that support NFC technology. The most dangerous part is that the physical card is never required for this fraud.

Earlier versions of NGate malware used a tool called NFCGate to carry out similar attacks. However, in this new version, attackers have shifted to using HandyPay instead. This makes the attack more effective because the app appears genuine and trusted. Users are less likely to suspect anything when using a known app. Researchers have also noticed that advanced techniques may be used to improve this malware.

The latest campaign has mainly targeted users in Brazil and has been active since around November 2025. Security experts believe that a single organized group is responsible for these attacks. This shows that the operation is well-planned and not random. Earlier versions of NGate had already targeted banking users in Europe. This indicates that the malware is evolving and spreading over time.

The main method used in this attack is called an NFC relay attack. In simple terms, when a user taps their card on the infected phone, the data is captured instantly. This data is then sent to the attacker’s device in real time. The attacker can use it as if they physically have the card in hand. Because of this, transactions can happen immediately without raising suspicion.

Victims are usually tricked into installing this malware through fake websites or scam messages. These messages often create urgency or promise rewards to attract users. Sometimes, the links look like official app pages to gain trust. Once the app is installed, it guides users step by step to complete actions. Without realizing it, users end up giving away their sensitive financial information.

This incident shows how cybercriminals are becoming smarter by using trusted apps as a disguise. It highlights the growing risk of mobile-based financial attacks in today’s world. Users need to be careful while installing apps and should only use official sources. Entering card details or PIN in unknown apps should always be avoided. Overall, NGate malware is a strong reminder that even normal-looking apps can hide serious threats.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news