Overview
- ESET disclosed Tuesday that NGate operators patched the legitimate HandyPay app to capture contactless card data and PINs for fraudulent purchases and ATM cash-outs, and said server logs showed PINs from four infected phones in Brazil.
- The malware spreads through a fake Rio de Prêmios lottery site that pushes victims to WhatsApp to sideload the APK and through a spoofed Google Play page for a “Proteção Cartão” app, and the tainted app was never on Google Play.
- Once installed, the app asks to be the default payment tool, prompts for the card PIN, then uses the phone’s NFC to read the card and relay the data to an attacker device.
- Google said Play Protect detects known samples, and the HandyPay developer has opened an internal probe.
- ESET noted emoji markers in the code that hint at generative-AI help, and the move from costly relay kits to HandyPay shows NFC fraud is getting cheaper and harder to spot.