⚠️ Security Alert Android Malware

NGate: The Android Malware Draining Bank Accounts via NFC — Likely Built by AI

📅 25 April 2026 ⏱️ 5 min read ✓ Sources: ESET Research, BleepingComputer, Help Net Security
Cybersecurity researchers at ESET have uncovered a new variant of the NGate malware, capable of copying the NFC data from your contactless payment card and emptying your bank account at an ATM. What makes this threat especially alarming: it was most likely developed using generative artificial intelligence.
Nov. 2025
Campaign start — still active today
NFC
Technology exploited (contactless)
AI
Likely used to build the malware

🤔 What is NFC and why is it dangerous?

NFC (Near Field Communication) is the technology that lets you pay contactlessly with your phone or bank card. When you tap your card on a payment terminal, NFC transmits the data.

The problem: that transmission can be intercepted. That's exactly what NGate does — it captures the NFC data from your card and sends it in real time to hackers, who can then withdraw cash in your name.

🦠 How does NGate work exactly?

  1. You download a fake appHackers distribute a trojanized version of HandyPay — a legitimate NFC app — via a fake lottery site or a fake Google Play page.
  2. The malware activates in the backgroundOnce installed, the app silently captures NFC data from any payment card brought near your phone.
  3. Your data is transmitted in real timeYour card information is sent directly to the hacker's device — they can be anywhere in the world.
  4. The hacker withdraws cashUsing a cloned virtual card, they visit an NFC-enabled ATM and withdraw money — without ever touching your physical card.
  5. Bonus: your PIN is stolen tooThe malware also captures your PIN if you enter it in the app, giving full access to your account.

🤖 AI used to build the malware

What marks a turning point in this case is how the malware was built. ESET researchers found that the malicious code contains emojis in the debug logs — a signature typical of code generated by AI tools like ChatGPT or Gemini.

This isn't definitive proof, but it confirms a worrying trend: cybercriminals with no advanced technical skills can now create sophisticated malware simply by asking an AI to do it for them.

⚠️ Why this threat is particularly nasty
  • The trojanized app looks identical to a legitimate one — nothing visually distinguishes it
  • It requires almost no suspicious permissions — just to be set as the default payment app
  • The theft happens without you doing anything suspicious
  • Hackers don't need your physical card — just your NFC data

🌍 Who is at risk?

Currently, the campaign targets Android users in Brazil and has been active since November 2025. But security experts warn that NFC-based attacks are expanding geographically. Earlier NGate variants had already targeted users in the Czech Republic in 2024.

No cases have been documented in the UK on this specific variant yet, but the technique can easily be replicated. Vigilance is essential.

✅ How to protect yourself

✅ The right steps to take now
  • Never install apps from outside the official Google Play Store — this is the golden rule
  • Disable NFC when you're not using it — Settings → Connected devices → NFC
  • Be suspicious of unexpected lottery texts or links — they may point to fake sites
  • Enable Google Play Protect — it detects and blocks known NGate variants
  • Never enter your PIN into an unknown mobile app
  • Install antivirus software — Bitdefender Mobile detects this type of threat
💡 How to check if your NFC is enabled
  • Android: Settings → Connected devices → Connection preferences → NFC
  • Samsung: Settings → Connections → NFC and contactless payments
  • If you don't regularly use contactless payments, disable it

Questions about your phone's security?

Describe your situation to CyberGuard — it'll guide you step by step, for free.

🤖 Talk to CyberGuard →
📖 Complete guide — Protect Your Family Online
30 pages · Antivirus, scams, children, VPN · Instant download
Buy $6.90 →