Security researchers have detected a new campaign of the Android malware NGate. This time, the attackers have modified the legitimate HandyPay application, designed to transmit NFC data, to include malicious code. The resulting trojan steals sensitive contactless payment information, such as card data and PINs. The campaign targets users in Brazil and highlights the use of trusted apps to evade detection.
APK Modification and Possible Use of AI in the Malicious Code 🤖
The cybercriminals took the original HandyPay APK and injected the malicious NGate module. The added code presents characteristics that suggest it was generated or assisted by artificial intelligence, which could complicate its static analysis. Once installed, the trojanized app requests accessibility permissions to capture NFC data and the PINs entered by the user, sending them to a server controlled by the attackers.
Your Phone Wants to Be Your Postman, But Only for Cybercriminals 📮
It's touching to see how some applications try so hard to be useful. HandyPay, in its new enhanced version, doesn't just transmit your payment data. It sends it directly to interested parties in other parts of the world, without you having to do anything. It's a free international postal forwarding service, but for your banking information. A reminder that the official app store is that boring site you should use.