Last updated 1 month ago
A new wave of NFC fraud in Brazil is fueled by the NGate malware, which abuses the legitimate HandyPay Android app to steal contactless payment card data and associated PINs. The campaign targets users of the HandyPay app, a mobile payment solution, by trojanizing the application to intercept NFC transactions. The exact number of affected users or financial institutions has not been disclosed.
The attack chain involves the NGate malware being distributed via malicious Android apps or sideloaded APKs, which then hooks into the HandyPay app to capture NFC card details during legitimate transactions. The malware also records PINs entered by the victim, likely through overlay attacks or keylogging. The stolen data is exfiltrated to attacker-controlled servers, enabling unauthorized contactless payments or card cloning. No specific threat actor has been attributed, and no CVEs are referenced.
As of the disclosure date, no regulatory actions, litigation, or ransom payments have been reported. The incident highlights the growing risk of trojanized legitimate apps in the mobile payment ecosystem, particularly in regions with high NFC adoption.
Trojanized Android app (HandyPay) used to relay NFC card data and capture PINs via NGate malware
The NGate malware's abuse of the HandyPay app underscores the need for mobile payment providers to implement runtime integrity checks and app-level anti-tampering measures. Financial institutions in Brazil should enhance transaction monitoring for anomalous NFC usage patterns and consider requiring biometric authentication for contactless payments above a threshold. Users must be educated to install apps only from official stores and to avoid sideloading APKs.
Sign in to join the discussion.
Company
Industry
Location
Disclosed
Records Affected
Attack Vector