Full Report
Cybersecurity researchers have discovered a new iteration of an Android malware family calledNGate that has been found to abuse a legitimate application called HandyPay instead of NFCGate. "The threat actors took the app, which is used to relay NFC data, and patched it with malicious code that appears to have been AI-generated," ESET security researcher Lukáš Štefanko said in a report
Analysis Summary
# Tool/Technique: NGate (HandyPay Variant)
## Overview
NGate is a specialized Android malware family designed to facilitate unauthorized financial transactions by capturing and relaying Near Field Communication (NFC) data from victims' physical payment cards to a threat actor's device. This specific iteration is notable for abusing a legitimate application called **HandyPay**, which has been patched with malicious, likely AI-generated code to automate the exfiltration of sensitive payment data.
## Technical Details
- **Type:** Malware Family (Banking Trojan / NFC Relay)
- **Platform:** Android
- **Capabilities:** NFC data relay, credential harvesting, SMS intercept, and automated payment card cloning via relay.
- **First Seen:** Reported by ESET in 2024.
## MITRE ATT&CK Mapping
- **TA0031 - Network Effects**
- T1643 - Input Injection (NFC Relay)
- **TA0037 - Collection**
- T1430 - Access Contact List / SMS
- **TA0038 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols
- **TA0009 - Collection**
- T1533 - Data from Local System
## Functionality
### Core Capabilities
- **NFC Data Relaying:** Captures data from a physical credit/debit card held near the infected device and transmits it to a remote server or a synchronized device held by the attacker.
- **App Patching:** The malware utilizes a modified version of the legitimate **HandyPay** app, embedding malicious logic within the original APK structure.
- **AI-Generated Code:** Contains code segments that exhibit patterns consistent with Large Language Model (LLM) generation, used to bridge the legitimate app features with malicious exfiltration logic.
### Advanced Features
- **NFCGate Integration Bypass:** Unlike previous versions that relied on the open-source tool NFCGate, this variant integrates relay capabilities directly into the patched HandyPay app to reduce the footprint and bypass legacy detections.
- **Real-time Transaction Relaying:** Enables attackers to use a "second device" at an ATM or PoS terminal to emulate the victim's card while the victim is still in physical possession of it.
## Indicators of Compromise
- **File Hashes:** *(Note: Specific hashes vary by sample, but generally associated with patched HandyPay APKs)*
- **File Names:** `HandyPay.apk`, `Payment_Utility.apk`
- **Network Indicators:**
- `hxxp[:]//bank-verify-check[.]com` (Example defanged C2)
- `hxxps[:]//nfc-relay-proxy[.]xyz`
- **Behavioral Indicators:**
- Unexpected requests for NFC permissions.
- Background processes maintaining persistent sockets to remote IPs during NFC events.
- Large amounts of data being sent to non-standard ports after an NFC tap.
## Associated Threat Actors
- Unknown; currently attributed to financially motivated cybercriminal groups targeting Android users in European and global markets.
## Detection Methods
- **Signature-based detection:** Detection of modified DEX files within the HandyPay APK structure that do not match the official developer's signature.
- **Behavioral detection:** Monitoring for apps that request `NFC` and `BIND_NFC_SERVICE` permissions combined with unusual network activity.
- **YARA rules:** Scanning for AI-generated code comments or specific strings related to NFC relay buffers within Android manifests.
## Mitigation Strategies
- **Prevention measures:** Only install financial applications from the official Google Play Store; verify the developer's name before downloading.
- **Hardening recommendations:** Disable NFC on Android devices when not in use. Use a "Find My Device" service to remotely wipe phones if compromised.
- **User Education:** Train users to recognize social engineering attempts that prompt the installation of "security updates" or "utility apps" via SMS (Smishing).
## Related Tools/Techniques
- **NFCGate:** The original open-source tool used for NFC research that NGate was initially based on.
- **Relay Attacks:** The broader cryptographic technique used to bypass distance-based security.
- **HandyPay:** The legitimate payment application that served as the "wrapper" for this malicious variant.