cybersecurity researchers have identified a new campaign targeting Android users in Brazil, where a known malware family has been modified to impersonate a legitimate payment application. The campaign, active as of early 2024, aims to steal sensitive Near Field Communication (NFC) data and personal identification numbers (PINs) from compromised devices.
The malware, known as NGate, has been observed trojanizing a legitimate app called HandyPay. HandyPay is a tool designed to relay NFC data, commonly used for contactless payments and access control. This marks a significant shift in the threat’s methodology, as earlier versions of NGate typically abused a different app called NFCGate.
Technical Details of the Attack
According to ESET security researcher Lukáš Štefanko, the threat actors took the original HandyPay application and patched it with malicious code. Štefanko noted that the malicious code appears to have been AI-generated, a technique that can help evade traditional detection methods. The trojanized app is then distributed through unofficial channels to potential victims.
Once installed on a victim’s device, the malicious application requests extensive permissions. If granted, it operates in the background, intercepting NFC transactions. The malware is designed to capture the data transmitted during an NFC payment or authentication event, which includes card details and the associated PIN entered by the user.
Primary Target and Distribution
The current campaign is specifically focused on users in Brazil. The choice of target aligns with the widespread adoption of contactless payment technologies in the region. The malicious actors likely distribute the trojanized HandyPay application via phishing links, third-party app stores, or deceptive social media advertisements posing as legitimate software updates.
Security analysts emphasize that the application is not available on the official Google Play Store. This distribution method relies on users disabling security protections on their devices to install apps from unknown sources, a practice known as sideloading.
Security Implications and Recommendations
The theft of NFC data and PINs presents a direct financial threat to individuals. With this information, attackers can clone contactless cards or make unauthorized transactions. The use of an AI-assisted code generation also suggests an evolution in the sophistication of common mobile malware.
Security firms advise Android users to only install applications from the official Google Play Store. They also recommend keeping device operating systems and security software updated, carefully reviewing app permissions before installation, and avoiding clicking on links from untrusted sources that promote app downloads.
Google has been notified of the malicious application. The company typically removes identified malicious apps from devices via its Google Play Protect service and blocks the associated developer accounts from the official store.
Ongoing Investigation and Next Steps
ESET and other cybersecurity organizations continue to monitor the NGate campaign. Researchers are analyzing the AI-generated code to better understand its origins and improve detection signatures for antivirus engines. Law enforcement agencies in Brazil have likely been alerted to the campaign targeting citizens.
Further developments are expected as security vendors dissect the malware’s command and control infrastructure. Updates to mobile security software will be released to detect and remove this specific threat. Users who suspect they have installed the malicious HandyPay app should run a security scan immediately and consider contacting their financial institutions.
Source: ESET Research
