NGate Android Malware Hijacks HandyPay NFC App to Steal Payment Card Data
What Happened – A new NGate variant embeds malicious code in a trojanized version of the HandyPay NFC payment app, capturing NFC card details on Android devices and forwarding them to attackers who generate virtual cards for fraudulent transactions.
Why It Matters for TPRM –
- Payment‑processing apps are a high‑value third‑party risk; compromise can expose cardholder data across multiple merchants.
- The use of a low‑cost, widely‑distributed app (HandyPay) lowers the barrier for attackers to infiltrate supply chains.
- AI‑generated code (emoji markers) suggests rapid, automated weaponisation that can outpace traditional detection controls.
Who Is Affected – Financial services, retail merchants, and any organization that relies on Android‑based NFC payment solutions, especially in Brazil.
Recommended Actions –
- Verify that any NFC payment app used by employees or customers is sourced directly from Google Play and signed by a trusted publisher.
- Enforce mobile device management (MDM) policies that block installation of unknown APKs and require app whitelisting.
- Conduct periodic scans for malicious code in third‑party payment SDKs and monitor for anomalous NFC traffic.
Technical Notes – The malware leverages the HandyPay app’s ability to become the default NFC payment handler without requesting special permissions. After installation, it prompts users for their card PIN and forces a tap of the physical card, then exfiltrates the data via a hard‑coded attacker email address. Distribution channels include a fake “Proteção Cartão” app on a counterfeit Google Play page and a lottery‑win lure that redirects victims to WhatsApp for the malicious APK. Source: BleepingComputer