NGate cloned the NFC data of victims' payment cards and redirected them to withdraw money from ATMs. This is the first time that Android malware with this capability has been used without the victims having rooted their devices
Researchers of ESET, a global European leader in the cybersecurity market, have uncovered a cybercrime campaign targeting customers of three banks in the Czech Republic. The malware used, which ESET has named NGate, has the unique ability to redirect data from victims' credit cards via a malicious app installed on their Android devices, sending it to the attacker's Android phone. The main objective of this campaign was to facilitate unauthorized withdrawals from victims' bank accounts. This was possible by redirecting the data from near field communication (NFC) of victims' physical payment cards, via compromised Android smartphones, to the attacker's device, using the Android NGate malware. The latter then used this data to carry out ATM transactions. If the operation failed, the attacker had a backup plan to transfer funds from victims' accounts to other bank accounts.
"We have never seen this NFC redirection technique in any previously discovered Android malware. The technique is based on a tool called NFCGate, designed by students at Darmstadt University of Technology, Germany, to capture, analyze or alter NFC traffic; that's why we called this new malware family NGate," says Lukáš Štefanko, Senior Malware Researcher at ESET who discovered the new threat.
Victims downloaded and installed the malware after being tricked into thinking they were communicating with their bank, believing their device was compromised. In reality, the victims had unknowingly compromised their Android devices by downloading and installing an app from a link in a deceptive SMS message regarding a potential tax refund.
It is important to note that NGate has never been available in the official Google Play Store.
The Android NGate malware is linked to the phishing activities of a malicious actor who has been operating in the Czech Republic since November 2023. However, ESET believes that these activities were suspended after the arrest of a suspect in March 2024. ESET Research detected the first movements of the malicious actor against customers of major Czech banks in late November 2023. The malware was distributed via short-lived domains that simulated legitimate banking websites or applications official mobile banking available in the Google Play Store. These fraudulent domains were identified through the ESET Brand Intelligence Service, which monitors threats affecting a customer's brand. During the same month, ESET reported the findings to its customers.
Attackers exploited the potential of Progressive Web Apps (PWAs), as ESET reported in a previous publication, only to then refine their strategies using a more sophisticated version of PWAs known as WebAPKs. Ultimately, the operation culminated in the deployment of the NGate malware.
In March 2024, ESET Research discovered that Android NGate malware was available on the same distribution domains previously used to facilitate phishing campaigns that distributed malicious PWAs and WebAPKs. After being installed and opened, NGate displays a fake website that requests the user's banking information, which is then sent to the attacker's server.
In addition to NFC data redirection, an attacker with physical access to payment cards could copy and emulate them, for example by reading them through purses or wallets in crowded places. However, this method is limited to small contactless payments. "Protecting yourself from complex attacks like these requires the use of proactive measures against phishing, social engineering and Android malware. This means checking website URLs, downloading apps only from official stores, keeping PIN codes secret, using security apps on phones, turning off the NFC function when it is not needed, using protective cases or virtual cards protected by authentication", advises Štefanko.
For more technical information on the new NFC threat, see the blog “NGate Android malware relays NFC traffic to steal cash” on WeLiveSecurity.com. Follow ESET Research on Twitter (now known as X) For the latest news from ESET Research.
