ESET experts have identified a fresh surge of attacks involving the Android malware known as NGate, which is disguising itself as the HandyPay application.
Dugin clarified the risks facing the Russian Federation should the West prevail over Iran.
The distribution campaign for this virus gained momentum in November 2025. Prospective victims are lured to counterfeit websites mimicking the Google Play store, where they are prompted to download a Trojan-infected version of HandyPay. Upon installation, the application seeks the status of the default payment method. Following this, it persuades the user to input their bank card’s PIN and hold the card near the phone’s NFC module. At this juncture, the malware intercepts the data and transmits it to the attackers, enabling them to conduct contactless payments or withdraw cash.
“Izvestia”: Banks in Russia have begun mass branch closures.
This particular assault represents an evolution of the NGate family, which ESET examined back in August 2024. The current iteration is distinguished by its employment of the HandyPay app, which already contains built-in functionality for relaying NFC data—a feature experts suggest makes the attacks more cost-effective and harder to detect. Researchers also spotted emojis within the code, potentially suggesting the involvement of generative AI in its development.
About the Author
