Cybersecurity researchers have discovered a new iteration of an Android malware family called NGate that has been found to abuse a legitimate application called HandyPay instead of NFCGate.
“The threat actors took the app, which is used to relay NFC data, and patched it with malicious code that appears to have been AI-generated,” ESET security researcher Lukáš Å tefanko said in a report shared with The Hacker News. “As with previous iterations of NGate, the malicious code allows the attackers to transfer NFC data from the victim’s payment card to their own device and use it for contactless ATM cash-outs and unauthorized payments.”
In addition, the malicious payload is capable of capturing the victim’s payment card PIN and exfiltrating it to the threat actor’s command-and-control (C2) server.
NGate, also known as NFSkate, was first publicly documented by the Slovakian cybersecurity vendor in August 2024, detailing its ability to carry out relay attacks to siphon victims’ contactless payment data with an aim to conduct fraudulent transactions.
A year later, Dutch mobile security company ThreatFabric detailed a threat codenamed RatOn that used dropper apps impersonating adult-friendly versions of TikTok to deploy NGate to carry out NFC relay attacks.
The latest version of NGate detected by ESET has primarily targeted users in Brazil, marking the first such campaign to single out the South American nation. The trojanized HandyPay application is distributed via websites masquerading as Rio de Prêmios, a lottery run by the Rio de Janeiro state lottery organization, and a Google Play Store listing page for a purported card protection app.
The fake lottery website seeks to convince a user to tap a button to send a WhatsApp message to claim the prize money, at which point they are directed to likely download the poisoned version of the HandyPay app.Regardless of the method used, the app asks to be set as the default payment app following installation.
Then, the victim is asked to enter the payment card PIN into the app and tap their card on the back of the NFC-enabled smartphone. As soon as this step is carried out, the malware abuses HandyPay to capture and relay the NFC card data to an attacker-controlled device, thereby allowing them to use the stolen information to make cash withdrawals from ATMs.
The active campaign is assessed to have begun around November 2025. The malicious version of HandyPay has never been made available on the Google Play Store, meaning attackers are using the aforementioned methods as delivery mechanisms to trick unsuspecting users into downloading them. HandyPay has since launched an internal investigation into the matter.
ESET noted that the cheaper subscription prices for HandyPay may have caused the operators of the campaign to switch as opposed to sticking with existing turnkey solutions that cost north of $400 per month. “In…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
