ESET Research: New NGate hides in NFC payment app, possibly built with AI

ESET Research has uncovered a sophisticated new variant of the NGate malware that compromises NFC-based payment systems by hijacking a legitimate Android application called HandyPay. The malware operators modified the legitimate NFC data relay app with malicious code that researchers believe was generated using artificial intelligence, marking a significant evolution in mobile payment fraud techniques. The compromised application enables attackers to intercept NFC data from victims' payment cards and relay it to their own devices for unauthorized contactless ATM withdrawals and fraudulent payments. The malware goes beyond simple payment card cloning by incorporating PIN capture capabilities, allowing attackers to steal victims' payment card PINs and transmit them to command-and-control servers. This dual capability significantly increases the threat's effectiveness by providing attackers with both the card data and the authentication credentials needed for successful fraud. While the current campaign primarily targets users in Brazil, ESET warns that NFC-based attacks are expanding geographically, suggesting this threat could impact mobile payment users globally. The suspected use of AI in generating the malicious code represents a concerning development in cybercrime tactics, as it could enable less technically skilled threat actors to create sophisticated malware variants. This evolution in NGate demonstrates how cybercriminals are adapting to leverage both legitimate applications as attack vectors and emerging technologies like AI to enhance their operations against increasingly popular contactless payment systems.