New NGate variant hides in a trojanized NFC payment app
ESET researchers identified a new variant of the NGate Android malware that trojanizes the legitimate HandyPay application to facilitate NFC relay attacks and steal payment card PINs. Targeting users in Brazil through social engineering and fake app stores, the malware allows attackers to conduct unauthorized ATM cash-outs while requiring no suspicious device permissions.
Authors: ESET Research
Source:
ESET
- domainprotecaocartao[.]onlineMalware distribution domain hosting fake Google Play pages
- sha148A0DE6A43FC6E49318AD6873EA63FE325200DBCMalicious APK: PROTECAO_CARTAO.apk (Android/Spy.NGate.CC)
- sha194AF94CA818697E1D99123F69965B11EAD9F010CMalicious APK: Rio_de_Prêmios_Pagamento.apk (Android/Spy.NGate.CB)
- urlhxxp://108[.]165[.]230[.]223/protecaocartao/painel.phpEndpoint used for exfiltrating stolen payment card PINs via HTTP POST
Key Takeaways
- A new NGate variant trojanizes the legitimate HandyPay Android app to relay NFC data and steal payment card PINs.
- Malicious code injections show signs of being AI-generated, lowering the barrier to entry for attackers.
- The campaign targets Brazilian users via fake lottery websites (Rio de Prêmios) and fake Google Play pages (Proteção Cartão).
- The malware requires no special Android permissions, only needing to be set as the default payment app.
- PINs are exfiltrated in plaintext via HTTP POST requests to an attacker-controlled C2 server.
Affected Systems
- Android OS
Attack Chain
Victims are lured via a fake lottery website or a fake Google Play page to manually download and install a trojanized version of the HandyPay app. Once installed, the app prompts the user to set it as the default payment app and asks them to enter their payment card PIN and tap their card against the device. The malware relays the NFC data to an attacker-controlled device using HandyPay's native functionality, while simultaneously exfiltrating the captured PIN to a C2 server via an HTTP POST request. The attackers then use the relayed NFC data and stolen PIN to perform unauthorized ATM withdrawals.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules (YARA, Sigma, etc.), but lists file hashes, domains, and IP addresses for IOC-based detection.
Detection Engineering Assessment
EDR Visibility: Medium — Mobile EDR/MDM solutions can detect sideloaded APKs and flag known malicious hashes, but the app requests no special permissions, making behavioral detection harder. Network Visibility: High — The malware exfiltrates PINs in plaintext via HTTP POST requests to a hardcoded IP address, which is highly visible in network traffic. Detection Difficulty: Moderate — While the network traffic is unencrypted and easy to spot, the malware relies on users manually sideloading apps, bypassing official app store protections.
Required Log Sources
- Network flow logs
- DNS query logs
- Mobile Device Management (MDM) app inventory
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for unencrypted HTTP POST requests to IP addresses containing the URI path '/protecaocartao/painel.php'. | Network proxy or firewall logs | Exfiltration | Low |
| Identify Android devices communicating with the domain 'protecaocartao.online'. | DNS logs | Initial Access | Low |
Control Gaps
- Lack of enforcement against sideloading apps from unknown sources
- Absence of network filtering for known malicious IPs/domains on mobile networks
Key Behavioral Indicators
- Plaintext HTTP POST requests containing 'senha=' parameters
- Sideloaded APKs named 'PROTECAO_CARTAO.apk' or 'Rio_de_Prêmios_Pagamento.apk'
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Block access to 108.165.230.223 and protecaocartao.online on corporate networks and MDM-managed devices.
- Search MDM inventories for the identified malicious APK hashes or package names.
Infrastructure Hardening
- Enforce MDM policies that prevent the installation of Android applications from unknown sources (sideloading).
User Protection
- Ensure Google Play Protect is enabled on all corporate Android devices.
Security Awareness
- Educate users about the risks of downloading apps from outside the official Google Play Store.
- Warn users about social engineering tactics involving fake lottery winnings and WhatsApp messages.
MITRE ATT&CK Mapping
- T1660 - Phishing
- T1417.002 - Input Capture: GUI Input Capture
- T1646 - Exfiltration Over C2 Channel
Additional IOCs
- Ips:
104[.]21[.]91[.]170- Cloudflare IP hosting the protecaocartao.online distribution website
- File Hashes:
A4F793539480677241EF312150E9C02E324C0AA2(SHA1) - Malicious APK: PROTECAO_CARTAO.apk (Android/Spy.NGate.CB)
- Other:
+55 11 94806-0390- WhatsApp phone number used in the fake lottery social engineering lure