Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

NGate malware trojanized HandyPay NFC-stealing variant

Malware Activity
First reported
Last updated
Happening score
H score 41
2 unique sources, 2 articles

Summary

Hide ▲

A new NGate variant is stealing NFC payment data from Android users in Brazil, raising the risk of unauthorized purchases and ATM cash withdrawals. The malware hides inside a trojanized HandyPay app and uses social-engineering lures to get victims to install the malicious APK. It then collects card details and transmits them to attacker-controlled infrastructure.

Related Happenings

TrickMo Android banking trojan variant with TON C2 and network pivots

Malware Activity
First: 12.05.2026 15:50 Last: 12.05.2026 15:50 Sources 1

About this happening: A new **TrickMo** Android banking trojan variant now uses **The Open Network (TON)** for C2, turning infected phones into **network pivots** and **traffic-exit nodes**. It was obs...

Open Happening

PromptSpy backdoor for Android with Gemini API automation

Malware Activity
First: 11.05.2026 16:02 Last: 11.05.2026 16:02 Sources 1

About this happening: The **PromptSpy** backdoor for **Android** was highlighted for using **Gemini APIs** to automate device interaction, increasing the risk of unauthorized control on infected phones...

Open Happening

BirdCall Android spyware variant

Malware Activity
First: 05.05.2026 12:04 Last: 05.05.2026 12:04 Sources 1

About this happening: The **BirdCall** Android spyware variant expanded a known **Windows** backdoor into a mobile surveillance tool with **file exfiltration** and device reconnaissance capabilities. I...

Open Happening

MiningDropper (BeatBanker) modular Android payload framework with encrypted staging

Technical Analysis
First: 24.04.2026 14:48 Last: 24.04.2026 14:48 Sources 1

About this happening: **MiningDropper (BeatBanker)** now stands out as a **layered modular Android malware framework** that can reuse one delivery chain across **hundreds of samples**, making **static...

Open Happening

NGate Android Brazil fake-app and fake-lottery campaign

Campaign
First: 21.04.2026 12:00 Last: 21.04.2026 12:00 Sources 1

How related: the malicious version of HandyPay has been distributed since November 2025, and primarily targets users in Brazil.

About this happening: A **NGate** campaign has been active since **November 2025**, targeting primarily **Android devices in Brazil** and using **fake-app** and **fake-lottery** lures to spread a malic...

Open Happening

Timeline

  1. 21.04.2026 12:00 2 articles · 1mo ago

    NGate malware trojanized HandyPay NFC-stealing variant

    Initial Disclosure

    The initial delivery phase is a trojanized **HandyPay** install that abuses legitimate NFC-payment behavior to capture card data. Fake app and lottery lures are used to push victims toward the malicious APK before the theft begins.

    Show sources
    Open in new tab