ESET researchers recently uncovered a sophisticated crimeware campaign targeting clients of three Czech banks, utilizing a unique malware called NGate. This malware has the capability to relay data from victims’ payment cards, through a malicious app installed on their Android devices, to the attacker’s rooted Android phone. The primary objective of this campaign was to facilitate unauthorized ATM withdrawals from victims’ bank accounts using the near field communication (NFC) data relayed by NGate.
The attackers behind this campaign employed a combination of standard malicious techniques such as social engineering, phishing, and Android malware to carry out their novel attack scenario. Initially, the group operated in Czechia using malicious progressive web apps (PWAs) and WebAPKs, but later transitioned to the NGate Android malware to enhance their capabilities. The NGate malware allowed attackers to clone NFC data from victims’ physical payment cards and relay this data to their own devices in order to emulate the original card and conduct ATM transactions.
This crimeware campaign marks the first instance of Android malware with such a unique capability being used in the wild. Victims of this attack did not need to root their devices for the malware to be effective. The attackers initially targeted clients of prominent Czech banks using short-lived domains impersonating legitimate banking websites or official mobile banking apps.
In a significant breakthrough, Czech police apprehended a 22-year-old suspect who had been stealing money from ATMs in Prague, holding 160,000 Czech korunas in his possession. This arrest provided tangible evidence of the financial impact of the campaign, with the total amount stolen potentially being considerably higher.
The attackers evolved their attack scenarios from using PWAs to more sophisticated WebAPKs before deploying the NGate Android malware. By utilizing the NGate malware, the attackers were able to facilitate NFC relay attacks and gain access to victims’ financial information, enabling unauthorized ATM withdrawals and fund transfers to other accounts.
To prevent falling victim to such complex attacks, individuals are advised to verify website authenticity, only download apps from official sources, keep payment card PIN codes secure, use security apps on mobile devices, and turn off NFC when not in use. Additionally, using protective cases for RFID cards and virtual payment cards on smartphones can add an extra layer of security.
In conclusion, the NGate malware campaign represents a significant blending of traditional phishing techniques with innovative malware capabilities, potentially leading to expanded misuse cases in the future. Awareness of social engineering tactics, caution online, and robust mobile security measures are essential to safeguard against such threats.