NGate Android Malware Steals NFC Data and Clones No-Contact Payment Cards
Experts in cybersecurity have discovered a new type of Android malware that can fraudulently transfer contactless payment information from actual credit and debit cards to a device under the control of the attacker.
The three Czech banks are the target of a malicious campaign that has been noticed by NGate, a Slovak cybersecurity firm that is tracking the malware.
In their analysis, researchers Lukáš Štefanko and Jakub Osmani found that NGate “can stealthily relay data from victims’ payment cards, via a malicious app installed on their Android devices, to the attacker’s rooted Android phone.”
This is a part of a larger campaign that uses malicious progressive web apps (PWAs) and WebAPKs to target financial institutions in the Czech Republic since November 2023. The first known deployment of NGate occurred in March 2024.
The ultimate objective of these attacks is to use NGate to copy near-field communication (NFC) data from victims’ physical payment cards. The attacker device then uses this copied data to simulate the original card, allowing unauthorized ATM withdrawals.
The legitimate tool NFCGate, which was created in 2015 for security research purposes by students from TU Darmstadt’s Secure Mobile Networking Lab, is where NGate got its start. It is believed that the malicious campaigns use a combination of SMS phishing and social engineering to trick users into downloading NGate by sending them to temporary domains that look like legitimate banking websites or official mobile banking apps that can be found on the Google Play store.
Six different NGate apps have been found between November 2023 and March 2024; however, activity appears to have stopped after a 22-year-old was arrested by Czech authorities in relation to ATM thefts.
Apart from taking advantage of NFCGate’s capability to seize NFC data and forward it to an alternate device, NGate requests users to input confidential financial data, such as PIN codes, date of birth, and banking client IDs. WebView is used to display the phishing page.
Researchers explained that “It also requests users to enable the NFC feature on their smartphone. Victims are then instructed to place their payment card against the back of their smartphone until the malicious app recognizes the card.”
The attacks use a misleading strategy in which victims install the PWA or WebAPK app via links sent to them via SMS, give their credentials to a threat actor posing as a bank employee, and then get calls from the attacker. They are then instructed to use a different mobile app (NGate), the installation link for which is also sent via SMS, to change their PIN and validate their banking card. There is no proof that these apps are available for download via the Google Play Store.
“NGate uses two distinct servers to facilitate its operations,” the researchers explained. “The first is a phishing website designed to lure victims into providing sensitive information and capable of initiating an NFC relay attack. The second is an NFCGate relay server tasked with redirecting NFC traffic from the victim’s device to the attacker’s.”
This revelation coincides with the discovery by Zscaler ThreatLabz of a novel iteration of the well-known Android banking trojan Copybara, which is spread by voice phishing (vishing) attempts that lure victims into entering their bank account credentials.
“This new variant of Copybara has been active since November 2023, and utilizes the MQTT protocol to establish communication with its command-and-control (C2) server,” Ruchna Nigam with Zscaler Blog noted.
Nigam adds that “The malware abuses the accessibility service feature that is native to Android devices to exert granular control over the infected device. In the background, the malware also proceeds to download phishing pages that imitate popular cryptocurrency exchanges and financial institutions with the use of their logos and application names.”
