GoKawiilA new variant of the NGate malware that steals NFC payment data is targeting Android users by hiding in a trojanized version of HandyPay, a legitimate mobile payments processing tool.
NGate was originally documented in mid-2024 and steals payment card information through the mobile device's near-field communication (NFC) chip.
The data is sent to the attacker, who create virtual cards used for unauthorized purchases or withdrawing cash from ATMs with NFC support.
In the earlier versions, the malware used an open-source tool called NFCGate to capture, relay, and replay the payment card information.
New research from ESET details a new variant that uses a version of the HandyPay app, which has been injected with malicious code to facilitate data-stealing operations.
The researchers found that code in the new NGate malware contains emojis, which may indicate the use of a generative AI tool for development.
Malicious code snippet
Source: ESET
HandyPay has been available on Google Play since 2021 and supports NFC-based data transmissions between devices, a feature that NGate abuses to exfiltrate the card information.
ESET believes the reason behind moving from NFCGate to HandyPay is likely financial, but evasion also plays a key role. The researchers underline the high cost of NFC relaying tools such as NFU Pay and TX-NFC, and the fact that these are “noisy” on infected devices.
... continue reading