A dangerous piece of Android malware is back with a new disguise. NGate, which security researchers first identified in 2024, now poses as a legitimate NFC payment app called HandyPay. Once installed, it silently captures data from the victim’s physical bank card and sends it straight to an attacker waiting at an ATM. No card theft required.
The NGate Android malware does not rely on traditional methods like skimming devices or data breaches. It turns the victim’s own phone into a tool for financial theft — using a technique that was first-of-its-kind when it emerged and has only grown more widespread since.
What Is NGate and How Does It Work?
NFC stands for Near Field Communication. It is the wireless technology that powers tap-to-pay at checkout terminals and contactless cash withdrawals at ATMs. When you tap your card to pay, your card and the terminal exchange encrypted data over a very short range.
NGate exploits that process. The malware captures the NFC data your card transmits, then relays it over the internet to a second device controlled by the attacker. That device replays the signal at an ATM. The machine cannot tell the difference between the real card and the relayed data — so it processes the transaction and hands over cash.
At the core of NGate is an open-source tool called NFCGate, originally developed by students at the Technical University of Darmstadt in Germany for legitimate security research. Attackers copied significant portions of its code and weaponized it. The result is malware that supports two roles: the victim’s phone acts as the reader, capturing card data, while the attacker’s device acts as the emitter, replaying that data at an ATM.
Critically, the victim’s phone does not need to be rooted. The attacker’s device does, but most victims will never know that detail matters.
The HandyPay Disguise
Earlier NGate variants impersonated bank apps. The newer version hides inside a fake version of HandyPay, a real NFC payment application. This shift is deliberate. A payment app asking users to verify their card by tapping it to the phone feels far less suspicious than a banking app making the same request. The disguise fits the action it is asking the victim to perform.
The malware is never distributed through the Google Play Store. Victims are pushed toward it through a multi-step social engineering campaign that begins long before they ever see the HandyPay interface.
How the Attack Unfolds
The attack starts with a phishing message. The victim receives an SMS or email that appears to come from their bank, warning of a security incident or a technical problem with their account. The message includes a link.
That link leads to a malicious page that pushes the victim to install an Android app. The app appears to be a legitimate support or verification tool. Once installed, it harvests the victim’s banking credentials through a fake login interface.
Then comes the phone call. A scammer contacts the victim, posing as a bank employee. Using the credentials already stolen, the caller sounds credible. They tell the victim their account has been compromised and that they need to verify their payment card to protect their funds. They instruct the victim to install another app — the NGate malware disguised as HandyPay — sent via a follow-up SMS link.
The victim opens the app. It displays an NFC card verification screen with a PIN pad. The victim places their physical card against the back of the phone and enters their PIN.
At that moment, the app captures everything: the card’s Primary Account Number, expiry date, Application Identifiers, and the PIN itself. All of that data is sent over the internet to the attacker’s command-and-control server. The attacker, standing at an ATM, replays the data in real time and walks away with cash.
If the NFC relay fails for any reason, the attacker still holds the victim’s full banking credentials and can simply transfer funds directly.
The Technical Mechanics
NGate registers itself on Android as a Host Card Emulation (HCE) payment service. This is a legitimate Android feature that allows a phone to behave like a contactless payment card. NGate abuses it to intercept and transmit the NFC exchanges that would normally stay between a card and a terminal.
CERT Polska’s analysis of a recent sample found the malware’s configuration — including the attacker’s server address — stored as an encrypted asset inside the app. The encryption key is derived from the app’s own signing certificate. Analysts decrypted it and recovered a live command-and-control endpoint. Communication with that server runs in plaintext frames, with keep-alive signals sent every seven seconds.
The malware requests only three Android permissions: NFC access, internet access, and network state. On the surface, those look entirely reasonable for a payment app. That is part of what makes it so effective.
A Threat That Has Grown Rapidly
NGate began as a campaign targeting customers of three Czech banks in late 2023. A 22-year-old suspect was arrested in Prague in March 2024, and activity paused. But the pause did not last.
ESET telemetry shows that NFC-related Android attacks surged more than 35 times in the first half of 2025 compared to the second half of 2024. The technique spread well beyond the Czech Republic. CERT Polska documented active targeting of Polish banks in late 2025. Other researchers have identified campaigns in Brazil, Slovakia, and Russia, with roughly 20 financial institutions impersonated across those regions.
NGate’s success also inspired a related tactic called Ghost Tap. Rather than relaying live NFC sessions, Ghost Tap attackers steal card details and one-time passcodes through phishing, register the stolen card in their own Apple or Google Wallet, then relay payments to other devices anywhere in the world. The underlying principle is the same: turn the victim’s payment credentials into a contactless weapon.
How to Protect Yourself
The most important defense is understanding what banks will never ask you to do. A real bank employee will not send you a link to install a third-party verification app. They will not ask you to tap your physical card to your phone and enter your PIN into an app you just downloaded from an SMS link.
Beyond that, a few practical steps reduce your risk significantly:
Only install apps from official stores. Google Play and your bank’s official website are the only safe sources for banking or payment apps. Any app delivered through a direct link in a text message should be treated as suspicious.
Turn off NFC when you are not using it. On Android, go to Settings, then Connected Devices, then Connection Preferences, and toggle NFC off. Re-enable it only when you actively need it for a payment.
Never enter your PIN into an app you did not deliberately install. If any screen asks you to scan your card and type your PIN to verify your account, stop. Call your bank directly using the number on the back of your card.
Use Google Play Protect. Google has confirmed that Play Protect detects known versions of NGate, even when those apps come from outside the Play Store. Keep it enabled.
Be skeptical of urgent calls. If someone calls claiming to be from your bank and asks you to act quickly, hang up. Call your bank back on its official number. That one step defeats the social engineering that NGate depends on entirely.
Final Thoughts
The NGate Android malware has evolved precisely because the original technique worked. Disguising itself as HandyPay is a small but telling change — attackers are refining the social engineering layer, making the request to scan a card feel more natural by wrapping it in a familiar payment context.
The mechanics of this attack are sophisticated, but the entry point is not. Every successful NGate infection starts with a victim clicking a link they should not have clicked, then following instructions from someone they should not have trusted. That is also where the defense lies. Contactless payments are safe when used through legitimate apps on official platforms. The threat is not the technology — it is the deception layered on top of it.
