Full Report
A new variant of the NGate malware that steals NFC payment data is targeting Android users by hiding in a trojanized version of HandyPay, a legitimate mobile payments processing tool. [...]
Analysis Summary
# Tool/Technique: NGate (HandyPay Variant)
## Overview
NGate is a specialized Android malware family designed to steal Near-Field Communication (NFC) payment card data. By capturing data directly from physical credit/debit cards via the device's NFC chip, attackers can relay the information to their own devices to create virtual cards. These clones are then used for unauthorized point-of-sale purchases or cash withdrawals at NFC-enabled ATMs. This specific variant hides within a trojanized version of the legitimate "HandyPay" mobile payment tool.
## Technical Details
- **Type:** Malware Family (Trojanized App / Finspy-like NFC relay)
- **Platform:** Android
- **Capabilities:** NFC data interception, PIN harvesting, data exfiltration via email, NFC relay/replay.
- **First Seen:** Original NGate documented mid-2024; this HandyPay variant active since November 2025.
## MITRE ATT&CK Mapping
- **[TA0031 - Network Effects]**
- **[T1446 - Proxies]** (Relaying NFC traffic)
- **[TA0037 - Credential Access]**
- **[T1417 - Input Capture]** (Harvesting card PINs)
- **[TA0035 - Collection]**
- **[T1429 - Screen Capture]** (Used in some variants to observe user input)
- **[T1533 - Data from Local System]** (Accessing NFC chip data)
- **[TA0011 - Command and Control]**
- **[T1071.003 - Application Layer Protocol: Mail Protocols]** (Exfiltrating data to hardcoded email addresses)
## Functionality
### Core Capabilities
- **NFC Interception:** Replaces the device's default payment handler to intercept data when a physical card is tapped against the phone.
- **Social Engineering:** Prompts users to enter their physical card PIN under the guise of "card protection" or payment setup.
- **Stealthy Exfiltration:** Unlike previous versions that used noisy tools like NFCGate, this variant sends stolen card data and PINs to an attacker-controlled email address hardcoded in the APK.
### Advanced Features
- **Abuse of Legitimate Frameworks:** Utilizes the legitimate code of HandyPay (a processing tool) to minimize the footprint of malicious code and reduce development costs.
- **Generative AI Integration:** Code snippets contain emojis and specific structural patterns suggesting the use of GenAI tools for code generation or obfuscation.
- **Relay/Replay:** Enables attackers to emulate the stolen card on their own devices in real-time or via stored data to perform fraudulent transactions.
## Indicators of Compromise
- **File Names:** `HandyPay.apk`, `Proteção Cartão`
- **Network Indicators:** [Hardcoded attacker email addresses - e.g., attacker[at]example[.]com] (Note: Specific C2 domains were not listed in the snippet, but the malware uses SMTP for exfiltration).
- **Behavioral Indicators:**
- Requests to be set as the "Default NFC Payment App."
- Applications requesting NFC permissions that do not logically require them.
- Unexpected prompts for credit card PINs within a non-banking application.
## Associated Threat Actors
- **Unknown:** Currently attributed to financially motivated threat actors, primarily targeting the Brazilian region.
## Detection Methods
- **Signature-based detection:** Modern antivirus and Google Play Protect recognize known NGate SHA256 hashes.
- **Behavioral detection:** Monitoring for the "Tap-and-Pay" default application being changed to non-standard or third-party APKs.
- **Code Analysis:** Searching for inclusion of `NFCGate` libraries or trojanized `HandyPay` components within Android manifests.
## Mitigation Strategies
- **App Provenance:** Only download financial or payment-related applications from the official Google Play Store.
- **NFC Management:** Disable NFC on Android devices when not actively in use for payments.
- **Security Software:** Ensure Google Play Protect is enabled and use a reputable mobile security suite to scan sideloaded APKs.
- **User Education:** Train users to never enter a physical card PIN into any application other than an official, verified banking app or a physical ATM/POS terminal.
## Related Tools/Techniques
- **NFCGate:** An open-source tool used by earlier NGate variants for relaying NFC data.
- **NFU Pay / TX-NFC:** High-cost, professional-grade NFC relaying tools frequently used by sophisticated carding actors.
- **Card Shimming:** A hardware-based equivalent technique used to intercept data from chip-enabled cards.