Danny Weber
ESET researchers warn of updated NGate malware on Android, disguised as a payment app to intercept bank card data via NFC. Learn how to protect yourself.
Android devices are facing a renewed serious cyber threat. Researchers at ESET have uncovered an updated version of the malware NGate, which disguises itself as a legitimate contactless payment app.
The attack is cleverly constructed. Users are lured to fake pages that visually mimic Google Play, where they are prompted to install what appears to be a useful app called HandyPay. Once installed, the program requests to be set as the default payment service—a step where many fail to spot the trick.
The real danger begins here. The app convinces the user to enter their bank card PIN and tap the card to the smartphone with NFC activated. At this point, the malware intercepts the card data and transmits it to attackers. The stolen information is sufficient for withdrawing cash or making payments.
According to experts, NGate is an evolution of an earlier malware linked to the NFCGate tool, previously used in attacks on banking clients. The new version is simpler, cheaper to distribute, and requires fewer suspicious permissions, making it more stealthy.
Interestingly, emojis were found in the malware's code within service messages—this could hint at the use of generative AI in its development, though no direct evidence exists.
Experts warn that the main danger lies in users willingly handing over all necessary data, believing the app to be safe. This makes the attack particularly effective.
To reduce risks, it is advised to install apps only from trusted sources, carefully review requested permissions, avoid sharing PINs with third-party services, and use additional protective measures such as biometrics, transaction notifications, and limits on contactless payments.
© A. Krivonosov