Full Report
ESET researchers discover another iteration of NGate malware, this time possibly developed with the assistance of AI
Analysis Summary
# Tool/Technique: NGate (HandyPay Variant)
## Overview
NGate is a specialized Android malware family designed to relay Near Field Communication (NFC) data from a victim's physical payment card to an attacker's device. This specific variant is a trojanized version of the legitimate "HandyPay" application, modified with malicious code (suspected to be GenAI-assisted) to capture card PINs and facilitate unauthorized ATM withdrawals and contactless payments.
## Technical Details
- **Type:** Malware Family (Android Banking Trojan / NFC Relay)
- **Platform:** Android
- **Capabilities:** NFC data relaying, PIN harvesting (GUI input capture), C2 communication, data exfiltration.
- **First Seen:** Approximately November 2025
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- **T1660 - Phishing:** Distribution via fake lottery and Google Play impersonation websites.
- **TA0006 - Credential Access**
- **T1417.002 - Input Capture: GUI Input Capture:** Modified text boxes used to record victim PIN codes.
- **TA0010 - Exfiltration**
- **T1646 - Exfiltration Over C2 Channel:** Stolen PINs and card data sent over HTTP to the attacker's server.
## Functionality
### Core Capabilities
- **Legitimate App Abuse:** Instead of using open-source tools like NFCGate, this variant patches the legitimate "HandyPay" app to leverage its existing NFC relay infrastructure.
- **NFC Relaying:** Reads data from a victim's physical card via the infected device's NFC chip and transmits it over the internet to a paired attacker device.
- **Card-Present Fraud:** Enables attackers to simulate the physical card at ATMs for cash outs or at Point of Sale (PoS) terminals for purchases.
### Advanced Features
- **AI-Assisted Development:** Code analysis revealed emojis in logs typical of GenAI output, suggesting threat actors used Large Language Models (LLMs) to patch the legitimate binary.
- **PIN Theft:** Includes a modified GUI input field specifically designed to capture the user's payment card PIN during the relay process.
## Indicators of Compromise
- **File Hashes (SHA1):**
- `48A0DE6A43FC6E49318AD6873EA63FE325200DBC`
- `A4F793539480677241EF312150E9C02E324C0AA2`
- `94AF94CA818697E1D99123F69965B11EAD9F010C`
- **File Names:**
- `PROTECAO_CARTAO.apk`
- `Rio_de_Prêmios_Pagamento.apk`
- **Network Indicators:**
- `protecaocartao[.]online` (Distribution Domain)
- `104.21.91[.]170` (Distribution IP)
- `108.165.230[.]223` (C2 Server)
## Associated Threat Actors
- Unknown (Targeting Brazilian users; potentially linked to operators of the "PhantomCard" NGate variant).
## Detection Methods
- **Signature-based detection:** ESET identifies these samples as `Android/Spy.NGate.CC` and `Android/Spy.NGate.CB`.
- **Behavioral detection:** Monitoring for unauthorized NFC data access and relaying activities to external IPs.
- **Google Play Protect:** Automatically flags known versions of NGate on Android devices.
## Mitigation Strategies
- **Prevention measures:** Only download applications from the official Google Play Store; avoid sideloading apps from SMS links or suspicious websites.
- **Hardening recommendations:** Keep Android OS updated, enable Google Play Protect, and disable NFC when not in use if privacy is a primary concern.
- **User Education:** Awareness regarding phishing sites impersonating lotteries (e.g., Rio de Prêmios) or "card protection" services.
## Related Tools/Techniques
- **NFCGate:** The original open-source tool used by earlier NGate iterations.
- **PhantomCard:** A previous NGate variant also targeting Brazil.
- **NFU Pay / TX-NFC:** Malware-as-a-Service (MaaS) kits providing similar NFC relay capabilities.