Find notable cyber news and cases, enriched with sources, timelines, and signals.

NGate malware trojanized HandyPay NFC-stealing variant

Malware Activity
First reported
Last updated
Happening score
H score 34
2 unique sources, 2 articles

Summary

Hide ▲

A new NGate variant is stealing NFC payment data from Android users in Brazil, raising the risk of unauthorized purchases and ATM cash withdrawals. The malware hides inside a trojanized HandyPay app and uses social-engineering lures to get victims to install the malicious APK. It then collects card details and transmits them to attacker-controlled infrastructure.

Related Happenings

NFCShare Android malware spreads via fake banking-app updates

Malware Activity
H score21 First: 09.06.2026 01:11 Last: 09.06.2026 01:11 Sources 1

About this happening: The **NFCShare Android malware** is being spread as **fake banking-app updates on GitHub**, broadening attacks against **customers of multiple banks and financial institutions acr...

NFCShare fake banking-app update phishing campaign

Campaign
H score40 First: 09.06.2026 01:11 Last: 09.06.2026 01:11 Sources 1

About this happening: The **NFCShare** phishing campaign is using **fake banking-app updates** on **GitHub** to steal **payment card data** from customers of multiple banks across **Europe**, expanding...

Magecart Stripe and Google Tag Manager card-skimming campaign

Campaign
H score36 First: 04.06.2026 23:47 Last: 04.06.2026 23:47 Sources 1

About this happening: The **Magecart** campaign is abusing **Stripe's API infrastructure** and **Google Tag Manager** containers to steal checkout data from **Magento/Adobe Commerce** stores. The skimm...

TrickMo Android banking trojan variant with TON C2 and network pivots

Malware Activity
H score26 First: 12.05.2026 15:50 Last: 12.05.2026 15:50 Sources 1

About this happening: A new **TrickMo** Android banking trojan variant now uses **The Open Network (TON)** for C2, turning infected phones into **network pivots** and **traffic-exit nodes**. It was obs...

PromptSpy backdoor for Android with Gemini API automation

Malware Activity
H score22 First: 11.05.2026 16:02 Last: 11.05.2026 16:02 Sources 1

About this happening: The **PromptSpy** backdoor for **Android** was highlighted for using **Gemini APIs** to automate device interaction, increasing the risk of unauthorized control on infected phones...

Timeline

  1. 21.04.2026 12:00 2 articles · 2mo ago

    NGate malware trojanized HandyPay NFC-stealing variant

    Initial Disclosure

    The initial delivery phase is a trojanized **HandyPay** install that abuses legitimate NFC-payment behavior to capture card data. Fake app and lottery lures are used to push victims toward the malicious APK before the theft begins.

    Show sources