A new malware can transmit an NFC (near-field communication) signal from one Android device to another held by a thief draining an account at an ATM.
ESET security researchers have discovered a new type of Android malware, which they call NGate. It can interact with a device’s NFC traffic, capture it from apps that use NFC, and relay the data to a malicious actor, who can then mimic or replay the intercepted data.
“We haven’t seen this novel NFC relay technique in any previously discovered Android malware,” ESET researchers said. “The primary goal of this campaign is to facilitate unauthorized ATM withdrawals from the victims’ bank accounts.”
The attackers have a backup plan to directly transfer funds from victims’ accounts in case the NFC relay fails.
Clients of three Czech banks have already been targeted in a campaign. Two malicious domains were discovered mimicking the Czech banks Raiffeisenbank and ČSOB.
Surprisingly, the “research toolkit” code for such malware is open-source. It was developed by students at the Technical University of Darmstadt, Germany, and can be downloaded from GitHub. The toolkit’s main function is to transmit an NFC signal from one Android device through a server to another Android device.
The devices don’t even have to be rooted (jailbroken). Hackers found a way to misuse one of the toolkit’s features so the NFC data could be transmitted.
“Based on our current detections, no apps containing this malware are found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play,” a Google spokesperson said in a comment.
How would victims obtain this malicious app?
“Initial access to the device is gained by deceiving the victim into installing a malicious app, often under the guise of a false assertion that there is an overpayment of income tax that the victim can reclaim,” ESET said.
In recent campaigns, Czech citizens have been bombarded with SMSs, robocalls, and ads on social media urging them to install banking app updates. Attackers have combined social engineering and phishing with an improved technique to deploy NGate Android malware instead of progressive web apps (PWA).
“We suspect that lure messages were sent to random phone numbers and caught customers of three banks,” the ESET report reads.
“The malware was delivered via short-lived domains impersonating legitimate banking websites or official mobile banking apps available on the Google Play store.”
The malicious app asks users to enable the smartphone's NFC feature and prompts them for sensitive information: their banking client ID, date of birth, and the PIN code for their banking card. The victims are instructed to place their payment card at the back of their smartphone until the malicious app recognizes the card.
“We suspect that within the NGate app, the victims would enter their old PIN to create a new one and place their card at the back of their smartphone to verify or apply the change.”
Behind the scenes, the NFC data reaches the attacker’s Android device and enables them to make payments and withdraw money from ATMs with a cloned payment card using NFC.
If the NFC relay method doesn’t work, cybercriminals can transfer the funds to another account, as they already have the required credentials.
On March 28th, 2024, Czech police announced it arrested a 22-year-old foreigner who had been withdrawing money from ATMs in Prague without having any physical cards.
Upon arrest, the suspect had 160,000 Czech korunas in his possession (approximately $6,500), which were stolen from three victims. It’s likely that the total amount stolen by the same threat actor is much larger.
ESET believes that the arrest put malicious activities on hold. However, this evolution in malicious tactics will almost certainly be used again and may reach other regions.
Security experts advise carefully verifying the authenticity of any banking websites and only downloading apps from official stores. PINs and other sensitive information should be kept secret. Using digital versions of payment cards is more secure due to additional measures, such as biometric authentication.
Your email address will not be published. Required fields are markedmarked