NGate Malware Trojanizes HandyPay App to Steal Brazilian NFC Data

Executive Summary

A new variant of the Android malware family NGate is actively stealing payment card data and PINs in Brazil by trojanizing the legitimate HandyPay NFC application. According to ESET researcher Lukáš Štefanko, the threat actors patched the legitimate app with malicious code that appears to have been AI-generated. The campaign has infected over 220,000 devices, primarily targeting users in Brazil to harvest sensitive NFC transaction data for financial fraud.

Technical Analysis

The malware, identified as a new iteration of NGate, abuses the HandyPay application, which is designed to relay NFC data for legitimate purposes. The threat actors modified the app's APK file, injecting malicious modules that capture and exfiltrate sensitive information from NFC transactions. ESET's analysis indicates the injected code exhibits patterns consistent with AI-generated source code, though the researchers did not specify the exact AI tool or methodology used. The trojanized app maintains its original functionality to avoid user suspicion while operating as a data-stealing payload in the background. Once installed, the malware gains access to NFC data streams, allowing it to intercept payment card details, including track data and associated PINs entered by the user during transactions.

Tactics, Techniques & Procedures

The primary technique is the trojanization of a legitimate, trusted application (HandyPay) to distribute malware (T1574.002: Hijack Execution Flow). The malicious code is injected directly into the application's APK. The malware abuses the android.permission.NFC permission to capture contactless payment data (T1429: Capture Audio/Video). The use of potentially AI-generated code to create the malicious patch suggests an attempt to obfuscate the payload and evade signature-based detection. The campaign relies on users downloading the malicious app from unofficial sources or third-party app stores, as the trojanized version would not be available on the official Google Play Store.

Threat Actor Context

The threat actor behind this campaign is identified by the malware family name "NGate." This is not the first campaign associated with this malware; a previous report detailed NGate using AI to evade detection in trojanized NFC apps. The current operation demonstrates a shift in tactics, specifically abandoning the previously used NFCGate app in favor of HandyPay. The consistent targeting of NFC payment systems and the Brazilian region suggests a financially motivated group specializing in payment card fraud. The incorporation of AI-generated code points to an evolving technical capability, though its practical effectiveness in evading detection remains unclear.

Mitigations & Recommendations

Users should only install applications from official app stores like Google Play, which have stricter security vetting processes. Organizations, particularly those with employees traveling to or based in Brazil, should educate users on the risks of sideloading apps from third-party sources. Mobile security solutions should be deployed to detect trojanized applications and anomalous NFC data access. Developers of NFC-related applications should implement code integrity checks and consider using app attestation services to verify that their software has not been modified. The HandyPay developer should issue a public warning and work with distribution platforms to remove the malicious copies.