The New Oil
maniabelNeue NGate-Android-Malware versteckt sich in trojanisierter NFC-Zahlungs-App
Mehr: https://maniabel.work/archiv/1482
#Android #HandyPay #Kartenzahlung #Malware #NFC #NGate-Malware #Trojaner #Sideloading #up2date #infosec
Italian News by RSSPunto Informatico: NGate: furto dei dati di pagamento con app e AI
La nuova variante di NGate sfrutta una versione modificata dell'app HandyPay per installare il malware che permette di clonare la carta di pagamento.
The post NGate: furto dei dati di pagamento con app e AI appeared first on Punto Informatico.
NGate: Payment data theft with app and AI
The new NGate variant exploits a modified version of the HandyPay app to install malware that allows for cloning of payment cards.
https://www.punto-informatico.it/ngate-furto-dati-pagamento-app-ai/
Analyst207Malware Exploits Android App to Harvest NFC Card Data
A new malware called NGate is putting NFC payment card users in Brazil at risk, exploiting the popular HandyPay app to steal sensitive card data and PINs. This sneaky attack leaves cardholders vulnerable to financial loss and compromised personal info.
ESET Research#ESETresearch discovered a new #NGate malware variant that abuses the legitimate #HandyPay app, which has been patched with possibly AI-generated malicious code. The campaign is ongoing and targets Android users in Brazil. https://www.welivesecurity.com/en/eset-research/new-ngate-variant-hides-in-a-trojanized-nfc-payment-app/ @lukasstefanko
HandyPay is an Android app that enables relaying #NFC data from one device to another. Using the trojanized version, attackers can transfer victim’s payment card data to their own device and use it for unauthorized payments. The code can also capture payment card PINs.
Since HandyPay is significantly cheaper compared to paying for established #MaaS offerings with similar NFC relay functionality, the threat actors most probably decided on trojanizing the app as a cost-cutting measure.
We found two NGate samples being used in the campaign: one distributed via a website impersonating a 🇧🇷 lottery, the other via a fake Google Play page for a supposed card protection app. The trojanized HandyPay has never been available on the official Google Play store.
The code inside the maliciously patched HandyPay appears to have been developed with the assistance of #AI, as the logs contain emoji that are typical of AI-generated text, although definitive proof remains elusive.
IoCs are available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/ngate
HandyPay is an Android app that enables relaying #NFC data from one device to another. Using the trojanized version, attackers can transfer victim’s payment card data to their own device and use it for unauthorized payments. The code can also capture payment card PINs.
Since HandyPay is significantly cheaper compared to paying for established #MaaS offerings with similar NFC relay functionality, the threat actors most probably decided on trojanizing the app as a cost-cutting measure.
We found two NGate samples being used in the campaign: one distributed via a website impersonating a 🇧🇷 lottery, the other via a fake Google Play page for a supposed card protection app. The trojanized HandyPay has never been available on the official Google Play store.
The code inside the maliciously patched HandyPay appears to have been developed with the assistance of #AI, as the logs contain emoji that are typical of AI-generated text, although definitive proof remains elusive.
IoCs are available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/ngate
According to ESET telemetry, threat actors keep finding new ways to exploit #NFC technology: detections surged by 78% compared to H1 2025; however, overall numbers remain low.
#NGate has demonstrated its relevance and is now enhanced with contact-stealing functionality. ESET researchers believe that this feature is designed to lay the groundwork for future attacks.
An NGate-based malware adapted for Brazil, #PhantomCard, targets banking clients via fake #Android apps that claim to improve security and privacy, distributed on pages featuring fabricated positive reviews.
And #RatOn combines RAT-like features with relay functionality, showcasing the determination of threat actors to evolve the methods of compromise. It’s distributed via fraudulent ads and apps, with the language targeting Czech and Slovak users.
Attackers remain faithful to tried-and-tested methods like #phishing calls and messages, while increasingly relying on psychological manipulation and #social engineering rather than exploiting just the technological aspect of NFC.
Read more about the evolution of NFC threat landscape in the latest #ESETThreatReport https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h22025.pdf
#NGate has demonstrated its relevance and is now enhanced with contact-stealing functionality. ESET researchers believe that this feature is designed to lay the groundwork for future attacks.
An NGate-based malware adapted for Brazil, #PhantomCard, targets banking clients via fake #Android apps that claim to improve security and privacy, distributed on pages featuring fabricated positive reviews.
And #RatOn combines RAT-like features with relay functionality, showcasing the determination of threat actors to evolve the methods of compromise. It’s distributed via fraudulent ads and apps, with the language targeting Czech and Slovak users.
Attackers remain faithful to tried-and-tested methods like #phishing calls and messages, while increasingly relying on psychological manipulation and #social engineering rather than exploiting just the technological aspect of NFC.
Read more about the evolution of NFC threat landscape in the latest #ESETThreatReport https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h22025.pdf
༺༻ESETresearch identified an active campaign distributing #NGate – Android NFC relay malware used for contactless payment fraud – targeting Brazilian users.
It is available for download via fake Google Play sites mimicking 4 major banks and 1 e-commerce app.
It shares the same package name (com.billy.cardemv) as some #NGate / #PhantomCard variants targeting Brazil, suggesting it could be a new version still focused on Brazil.
#ngate captures NFC card data and relays it to an attacker-controlled device, which uses the data for ATM withdrawals or POS payments—all without physical access to the victim’s card. We described #NGate in details in our blogpost in 2024
https://www.welivesecurity.com/en/eset-research/ngate-android-malware-relays-nfc-traffic-to-steal-cash/
IoCs:
Android/Spy.NGate.BD
223D7AA925549C9C657C017F06CF7C19595C2CEE
5a341dc1-98f9-4264-859a-e8bc6d236024-00-1vfeomyys26m9.janeway.replit[.]dev
googleplay-santander.pages[.]dev
googleplay-bb.pages[.]dev
googleplay-itau.pages[.]dev
googleplay-mercadolivre.pages[.]dev
googleplay-bradesco.pages[.]dev
It is available for download via fake Google Play sites mimicking 4 major banks and 1 e-commerce app.
It shares the same package name (com.billy.cardemv) as some #NGate / #PhantomCard variants targeting Brazil, suggesting it could be a new version still focused on Brazil.
#ngate captures NFC card data and relays it to an attacker-controlled device, which uses the data for ATM withdrawals or POS payments—all without physical access to the victim’s card. We described #NGate in details in our blogpost in 2024
https://www.welivesecurity.com/en/eset-research/ngate-android-malware-relays-nfc-traffic-to-steal-cash/
IoCs:
Android/Spy.NGate.BD
223D7AA925549C9C657C017F06CF7C19595C2CEE
5a341dc1-98f9-4264-859a-e8bc6d236024-00-1vfeomyys26m9.janeway.replit[.]dev
googleplay-santander.pages[.]dev
googleplay-bb.pages[.]dev
googleplay-itau.pages[.]dev
googleplay-mercadolivre.pages[.]dev
googleplay-bradesco.pages[.]dev
GOMOOT 
💡 Pagamenti NFC minacciati dal malware NGate
https://gomoot.com/pagamenti-nfc-minacciati-dal-malware-ngate/
#blog #contactless #ghosttap #malware #news #nfc #ngate #phishing #picks #rfid #tech #tecnologia
#BREAKING #ESETresearch NFC Android malware impersonates banking app in 🇵🇱 Poland. #NGate malware impersonates a banking verification application to steal NFC data and PIN from victims’ physical payment card. x.com/LukasStefanko
TThe threat actor can then use it to withdraw money from ATM via contactless terminal without having payment card.
More information about NGate malware: https://www.welivesecurity.com/en/eset-research/ngate-android-malware-relays-nfc-traffic-to-steal-cash/
IoCs:
C&C: 38.180.222[.]230:5577
Sample: 6A41008744498A3EDDA0BDF763ADC7F157441E1D
Detection name: Android/Spy.NGate.L
