Rising Threat of NGate Malware via HandyPay: A Detailed Exploration
A new variant of the NGate malware has recently surfaced, utilizing a trojanized version of HandyPay to perpetrate fraud and steal sensitive card data. HandyPay, a legitimate NFC payment relay application for Android, has been exploited by cybercriminals to capture card numbers and Personal Identification Numbers (PINs), enabling unauthorized ATM cash-outs and fraudulent transactions.
According to ESET Research, the trojanized app not only mimics HandyPay’s functionality but also subtly engages the user by asking them to set it as the default NFC payment application. As a reminder, HandyPay has been available on Google Play since 2021, allowing users to relay NFC card data to perform tap-to-pay transactions seamlessly. However, the malicious variant is distributed outside the official Google Play store.
The modus operandi adopted by the attackers involves obtaining a clean HandyPay APK, injecting malicious code, and then disseminating this altered version through various channels. Notably, the injected code exhibits distinct characteristics that suggest it was generated using artificial intelligence, demonstrating the growing sophistication and accessibility of cybercrime tools. This trend highlights a concerning shift, allowing low-skill actors to weaponize NFC payment applications on a larger scale than before.
Once the user installs the trojanized app, the malicious software requests critical permissions and guides them through a process of tapping their card on the device’s rear to facilitate NFC transactions. Behind the scenes, however, NGate intercepts the NFC payload, relaying it to an attacker-controlled device that can mimic the victim’s card for unauthorized contactless payments and ATM withdrawals.
Interestingly, this variant of NGate requires minimal permissions, making it appear benign and thereby easing the user’s suspicions. Additionally, the attacker has pre-linked the device using hard-coded email addresses, ensuring that all relayed NFC data is funneled directly to their infrastructure without raising red flags.
ESET’s analysis revealed unusual log strings, including emojis, which suggest the use of generative AI tools in crafting the malicious code. This pattern is often associated with outputs generated by large language models and AI assistants, marking a significant evolution in how malware is structured and disseminated. The economic landscape further favors such traps; HandyPay is significantly less expensive, requested via a nominal €9.99 per month donation, and mandates almost no permissions, making it even more appealing.
This alarming use of AI in malware creation indicates that cybercriminals rely increasingly on these technologies to reduce the barriers to entry for creating effective Android malware. The AI-assisted exfiltration logic allows for the streamlined packaging of stolen PIN information and its subsequent transmission to command-and-control (C&C) servers using HTTP protocols.
Currently, the NGate campaign appears to be concentrating on Android users within Brazil, as evidenced by logs from compromised devices that ESET uncovered. These logs contain captured data such as PINs, IP addresses, and timestamps, revealing a systemic exploitation targeted at Brazilian consumers.
Two main distribution channels have been identified for this variant, both hosted on the same domain and likely operated by a single threat group. The first involves a fraudulent lottery site named "Rio de Prêmios," which tricks users into thinking they have won money, subsequently directing them to WhatsApp to claim their “prize” while delivering the trojanized HandyPay APK. The second method imitates a Google Play web page, promoting a fictitious app called “Proteção Cartão” (Card Protection), designed to deceive users into sideloading the compromised HandyPay app.
The NGate malware’s assault on Brazil is not entirely new; previous campaigns utilizing different tools such as NFCGate have shown a marked evolution in tactics, with the latest variant opting for the less complex route of exploiting established applications like HandyPay.
Data Theft and Financial Risks
Once a user falls victim to the malicious APK—having allowed installations from unknown sources—the malware prompts them to input their payment card PIN and perform an NFC tap. At this critical juncture, NGate captures the entire NFC transaction data, concurrently sending it to the operator’s device that can readily replicate the card. In tandem, the PIN is exfiltrated to a dedicated C&C endpoint, also doubling as the malware distribution server.
To bolster credibility in their deceptive scheme, the associated WhatsApp account utilizes a profile image that impersonates Caixa Econômica Federal, Brazil’s leading government-owned bank responsible for a significant portion of the country’s lotteries.
With control over live NFC data and accurate PINs, attackers can swiftly withdraw cash from NFC-enabled ATMs or execute high-value purchases without ever coming into contact with the physical card.
While Google Play Protect offers a layer of defense against known NGate variants, user vigilance remains paramount. Android users are advised to refrain from sideloading apps from untrusted sources and to ensure that all payment applications are downloaded directly from the official Google Play store to mitigate their risk.
Conclusion
This ongoing saga underscores the evolving landscape of cyber threats, particularly through the lens of advanced malware like NGate and its ability to exploit legitimate applications to achieve nefarious ends. As the integration of AI into malware development becomes increasingly commonplace, users must remain vigilant and proactive in safeguarding their personal data against a shifting array of threats.