NGate Evolved: Hamla jdida dial malware f Android khdama bin-nss f l-Brazil b koud mssayb b d-dakaa l-istina3i (AI)
NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs
NGate Evolved: Hamla jdida dial malware f Android khdama bin-nss f l-Brazil b koud mssayb b d-dakaa l-istina3i (AI)
TL;DR (L-kholassa)
Wahed l-virsion jdida dial malware NGate (li m3rouf hta b NFSkate) khdama f l-Brazil l-hadf dialha hwa l-khafif (spyware) mndam l-appli l-m3roufa HandyPay. Had l-malware kikhdem b koud li bayn mssayb b AI, o kikhwen l-m3loumat dial NFC o l-code PIN dial l-karta bach ishleb l-flouss mn l-guichet (ATM) o ikhless b contactless.
Overview dial had l-iktichaf
L-khoubara dial l-amn s-sibrani mn charikat ESET lqaw hamla jdida khdama b l-malware NGate. Wakha l-virsionat l-qdam kanou kitalbsso 3la des outils bhal NFCGate, had l-virsion l-khra bddlat l-khouta o wellat katzre3 koud malicieux f west appli hqiqiya smitha HandyPay.
3la hssab l-bahit Lukáš Štefanko mn ESET, l-payload l-khabit غالباً tssayb awla t-modifia b l-mossa3ada dial "LLMs" (bhal ChatGPT). Had l-hamla, li bayna bdlat f Novembre 2025, hya awel merra feich NGate kistahedf s-souq dial l-Brazil b had l-quwa.
Tatawwur t-téchnique: Mn NFCGate l HandyPay
L-khidma l-assassiya dial NGate hya s-srqa dial m3loumat l-ittissal l-qarib (NFC). Gha kikhchiw idihom f had d-data, l-khuna kigedrou "irelayiw" (isifto) s-signal mn l-karta l-haqiqiya dial l-dahiyya l-wahd l-ghilaf (device) akhor dialhom. Hadchi kikhli l-chfara idirou:
- Ijbdou l-kash contactless mn l-guichet (ATM).
- Ikhlsso b contactless f les machines POS f l-hanout.
L-bach t-bdlou l HandyPay mouhim l joj ssbab:
- L-taman l-rkhiess: L-khitmat dial "Malware-as-a-Service" (MaaS) li mwejda gha bach t-khdem katqam b kter mn 400 dollar f s-cher. HandyPay kat3ti des abonnements rkhass fe s-souq sswda.
- T-takhbiya (Stealth): HandyPay f l-asl matchdch bezaf dial l-permissions mn ghir anaha t-welli hya l-appli l-par défaut dial lkhlass، hadchi kikhelliha match3lch l-alarmat dial s-sécurité 3nd l-utilisateur.
Tariqa dial l-hjoum: Qmar kadeb o l-hiyal l-ijtima3iya
L-malware NGate makat-tlqarich f l-magasin official Google Play Store. Bel3eks, l-hackers kikhdmou s-social engineering bach iqelbou n-nass o itéléchargiw l-appli mssmouma mn berra (sideloading). F had l-weqt, l-turuq li khaddamin bihom hya:
- Sitat dial l-lottery (Qmar) mzewrin: Sitat kibano bhal "Rio de Prêmios" (wahed l-lottery m3roufa f Rio de Janeiro) kii-louriw n-nass b l-jawa-iz. L-dahaya kigoulou lihom sifto message f WhatsApp bach takhdo l-ja-iza, o temmak kitéléchargiw l-appli HandyPay l-mkhssrra.
- Google Play mzewrin (Mirrors): Safahat f l-web mssayba bach tban bhal l-Play Store l-hqiqqi, katqoul lihom had l-appli hya dial "himayat l-karta" (card protection).
Kifach kat-tra s-srqa
Melli kat-install l-appli l-mghoucha، l-hjoum kikhdem b had t-tartib:
- Talab s-solohiyat: L-appli kat-tleb mn l-dahiyya t-red-ha hya l-appli l-assassiya dial l-khlass (default payment app).
- Jam3 l-koudat: L-appli kat-طلب mn l-dahiyya idkhel l-code PIN dial l-karta dial l-banka f l-interface dialha.
- Capturé dial d-data: L-dahiyya kit-طلب mnu i-tapé l-karta dialu m3a l-lor dial t-tilifoun li fih l-NFC tech.
- T-tahrib dial d-data: L-appli kat-capturé d-data dial NFC o l-PIN, o tatsifthom l-server (C2) dial l-hacker.
l-3alaqa b l-AI (Dakaa l-istina3i)
L-bahitoun lahdou chi hwayej li kigoulou belli l-koud ymken t-ssayb b AI، khousoussan melli lqaw des "emojis" f l-messageat dial debug o d-dakharat (toast messages) west l-code. Hadchi kiy-mchi m3a l-mouwja l-jdida dial chfara li ma- mssaw-inch mzian téchniquement o kikhdmou b l-Generative AI bach i-modifiaw koudat awla i-ssaybo viroussat.
L-wad3iya l-haliya
Charikat HandyPay bdat t-hqiq dakhili mn b3d had l-rapport. L-hadd l-an, had l-hamla baqa khatar 3la n-nass li f l-Brazil. L-khoubara kiyu-hadrou belli n-nouchat dial NGate kiy-3ni an s-srqa dial NFC ghadda o kat-zad, o chfara bdaw kib3dou mn l-phishing l-qdim o bdaw kikhdmou b hwayej téchnique s-3iba bhal l-hardware-based relay attacks.
L-masdar
L-maqal l-assli: NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs 3ounwan l-masdar: NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs Tarik l-nachr: April 2026 (via The Hacker News)