A dangerous new Android malware has emerged that has the ability to clone contactless payment data from physical credit and debit cards, and then transmit it to an attacker’s Android device, facilitating fraudulent transactions. This malware, known as NGate, was recently discovered by researchers from ESET, who have identified it as the first of its kind to be found in the wild.
NGate is actually built on NFCgate, a tool developed by students at the University of Darmstadt in Germany. NFCgate was originally designed to capture, analyze, and modify near-field communication (NFC) traffic, which is the technology that enables devices like smartphones to communicate wirelessly in close proximity. While NFCgate was created as a legitimate research tool for studying protocols and security in NFC traffic, it has been repurposed by threat actors to carry out malicious activities.
ESET observed a threat actor utilizing NFCgate’s capabilities along with phishing and social engineering tactics to target victims and attempt to steal money from their bank accounts through fraudulent ATM transactions. The scam involved sending SMS messages to potential victims in Czechia, claiming to be related to tax issues. Those who clicked on the link provided were directed to a progressive Web app or a Web APK that phished for their banking credentials and sent the information to the attacker. This tactic is similar to methods used by attackers in the Google Play store to trick users into revealing their banking details.
Upon falling for the social engineering ploy, victims were directed to download NGate, which initiated a series of steps to enable fraudulent ATM withdrawals. The malware would prompt victims to provide sensitive banking information, such as their client ID, birthdate, and PIN for their bank card. Additionally, victims were instructed to enable the NFC feature on their smartphone and place their payment card on the back of the device. This allowed NGate to capture NFC data from the victim’s card and send it to the attacker’s Android device, enabling the cloning of the victim’s card for unauthorized transactions.
If the initial method failed, the attacker’s backup plan was to use the bank account data obtained from the victim to transfer funds to other accounts. By utilizing NGate, the attacker could avoid leaving a trace of the transaction back to their own accounts. According to ESET’s senior malware researcher, Lukas Stefanko, this malware made it easier for attackers to steal funds from victims’ accounts without detection.
Furthermore, NGate can be used for various malicious purposes beyond financial fraud. Attackers can leverage this malware to intercept and relay data from any NFC tag or token, including those used for public transport tickets, ID badges, and membership cards. This capability opens up possibilities for executing relay attacks in different scenarios, potentially allowing attackers to gain unauthorized access to secured premises.
In conclusion, the emergence of NGate highlights the evolving landscape of mobile malware and the increasing sophistication of attackers in exploiting NFC technology for malicious purposes. Users are advised to remain vigilant against phishing attempts and to exercise caution when downloading apps or clicking on links, especially those related to financial information. The collaboration between researchers and security professionals is crucial in identifying and mitigating such threats to protect users from falling victim to fraud and unauthorized access.