NGate
NGate is an Android malware family focused on NFC relay fraud and theft of payment card data. It was first publicly documented by ESET in August 2024 and is also referred to as NFSkate in some reporting. The malware is used to capture and relay NFC payment card data from victims’ physical cards to attacker-controlled devices, enabling unauthorized contactless purchases and ATM cash withdrawals using the victims’ own cards. Multiple sources describe NGate as an Android NFC relay kit and banker used in recent NFC relay attacks.
Observed infection and delivery methods include phishing and social engineering. Reporting describes campaigns using phishing plus follow-up calls from fake bank support, fake banking or payment-related apps, fake Google Play pages, and lottery-themed lure sites. In the Brazil-focused campaign active since about November 2025, operators distributed a trojanized version of the legitimate Android app HandyPay via a fake Rio de Prêmios lottery site and a fake Google Play page offering the malware as Proteção Cartão. Earlier reporting also notes use of NFCGate in prior NGate activity, while newer variants abuse HandyPay instead.
Behaviorally, NGate prompts victims to set the malicious app as the default payment app, enter their payment card PIN, and tap their physical card against the phone. The malware then reads and relays NFC card data to attacker-controlled infrastructure or devices. Reporting states that PINs are exfiltrated to attacker-controlled servers over HTTP, and one report notes relayed data being linked to an attacker device via a hardcoded email address embedded in the app. The trojanized HandyPay variant reportedly requires no special permissions beyond being set as the default payment app, which may reduce user suspicion.
Targeting documented in the provided content includes Czech bank customers, users of Polish banks, and Android users in Brazil. CERT Polska observed samples tied to NGate targeting Polish bank users. ESET described a novel campaign in Czechia active since November 2023 that combined phishing, social engineering, and malware capabilities to clone and relay NFC payment card data without requiring device rooting. Later reporting describes Brazil as the first South American country specifically targeted by an NGate campaign, with Portuguese-language strings observed in at least one variant.
The malware has been associated with financial fraud operations rather than a named state actor. It is repeatedly discussed alongside other NFC-relay malware families such as SuperCard X, RelayNFC, ZNFC, and PhantomCard. ESET and WeLiveSecurity reporting on newer variants noted signs that some injected malicious code may have been AI-generated, including emoji-like artifacts in logs or debug strings, but definitive proof of AI involvement was not established. Additional reporting states NGate later received an upgrade adding contact stealing capabilities.
High-confidence indicators and artifacts mentioned in the content are limited. The malware has been distributed under the names HandyPay and Proteção Cartão in trojanized form, and one report states Google Play Protect can detect known versions of the malware. No stable malware hash or domain IOC specific to NGate is provided in the source content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
12 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
The first uses a fake lottery website that impersonates a Brazilian state lottery organization called Rio de Premios. The site shows a rigged scratch card game where the user always wins R$20,000 and is then directed to send a WhatsApp message to claim the prize, after which they are guided to download the trojanized app.
Execution
2 techniques
Execution
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
1 technique
Stealth
Defense Impairment
1 technique
Defense Impairment
Credential Access
2 techniques
Credential Access
Collection
3 techniques
Collection
Once installed on a victim’s phone, the trojanized version silently reads payment card data via NFC and forwards it to an attacker-controlled device.
Command and Control
1 technique
Command and Control
Recent activity
19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as Android malware involved in NFC payment relay schemes used to abuse stolen payment card data.
An Android malware family referenced through a new variant targeting Brazilian users, noted for injected code showing AI-assisted development indicators.
An Android NFC-skimming malware family distributed as a fake payment app.
Android malware embedded in a trojanized HandyPay app that steals payment card data via NFC, captures the victim's card PIN, relays stolen NFC data to an attacker-controlled device, and exfiltrates the PIN to a C2 server over HTTP to enable unauthorized contactless payments and ATM withdrawals.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.