Android Malware Steals Payment Card Data Using Never-Before-Seen Technique

A newly discovered Android malware steals payment card data using the NFC reader on the infected device and transmits it to attackers, a new technique that effectively clones the card so it can be used at ATMs or point-of-sale terminals, cybersecurity firm ESET said.

ESET researchers have named the malware NGate because it includes: NFC Gatewayan open source tool for capturing, analyzing, or altering NFC traffic. Short for near field communicationsNFC is a protocol that allows two devices to communicate wirelessly over short distances.

New attack scenario on Android

“This is a new attack scenario for Android, and the first time we have seen Android malware with this capability used in the wild,” said ESET researcher Lukas Stefanko in a report. video “The discovery shows that the NGate malware can transmit NFC data from a victim’s card via a compromised device to the attacker’s smartphone, which is then able to spoof the card and withdraw money from an ATM.”

The malware is installed through traditional phishing scenarios, such as the attacker sending messages to targets and tricking them into installing NGate from short-lived domains impersonating banks or official mobile banking apps available on Google Play. NGate disguises itself as a legitimate app from the target’s bank, prompting the user to enter the bank’s customer ID, date of birth, and the corresponding card PIN. The app then prompts the user to turn on NFC and scan the card.

ESET said it detected NGate being used against three Czech banks starting in November and identified six separate NGate apps that were in circulation between then and March this year. Some of the apps used in later months of the campaign came in the form of progressive web apps, short for Progressive Web Appswhich as reported on Thursday can be installed on Android and iOS devices even when settings (mandatory on iOS) prevent installation of apps available from unofficial sources.

ESET said the most likely reason for the NGate campaign ending in March was arrest Czech police have arrested a 22-year-old man who they say was caught wearing a mask while withdrawing money from an ATM in Prague. Investigators said the suspect “has come up with a new way to trick people and steal their money” using a scheme that appears identical to the one involving NGate.

Stefanko and fellow ESET researcher Jakub Osmani explained how the attack works:

The Czech police announcement revealed that the attack scenario began with the attackers sending text messages to potential victims about a tax return, including a link to a phishing site impersonating banks. These links likely led to malicious Progressive Web Apps. Once the victim installed the app and entered their credentials, the attacker gained access to the victim’s account. The attacker then contacted the victim, pretending to be a bank employee. The victim was told that their account had been hacked, most likely due to the previous text message. The attacker was actually telling the truth — the victim’s account had been hacked, but that truth then led to another lie.

To protect their funds, the victim was asked to change their PIN and verify their bank card using a mobile app – NGate malware. A link to download NGate was sent via SMS. We suspect that within the NGate app, victims would enter their old PIN to create a new one and put their card on the back of their smartphone to verify or apply the change.

Since the attacker already had access to the compromised account, they could change the withdrawal limits. If the NFC redirection method didn’t work, they could simply transfer the funds to another account. However, using NGate makes it easier for the attacker to access the victim’s funds without leaving traces back to the attacker’s bank account. A diagram of the attack sequence is shown in Figure 6.

The researchers said that NGate or similar apps could be used in other scenarios, such as cloning some smart cards used for other purposes. The attack would work by copying the unique identifier of the NFC tag, abbreviated as UID.

“During our tests, we successfully migrated the unique user ID from a MIFARE Classic 1K tag, which is typically used for public transport tickets, ID badges, membership or student cards, and similar use cases,” the researchers wrote. “Using NFCGate, it is possible to perform an NFC transmission attack to read an NFC token in one location and, in real time, access buildings in a different location by spoofing its unique user ID, as shown in Figure 7.”

Cloning may occur in situations where an attacker has physical access to a card or is able to briefly read a card in handbags, wallets, backpacks, or smartphone cases that contain cards. To perform and simulate such attacks, an attacker would need to have a custom, rooted Android device. The phones infected with NGate did not have this requirement.