A new Android malware designed to phish victims’ card details and transmit card data to an attacker for ATM withdrawals.
A crimeware campaign in operation since March 2024 has targeted customers at three Czech banks, according to security researchers at ESET.
It uses NGate, novel malware that is unwittingly downloaded by the victim onto their device after a multi-stage phishing campaign.
After being installed and opened, NGate displays a fake website that requests the victim’s banking information, which is then sent to the attacker’s server.
However, the more interesting functionality, dubbed “NFCGate,” relays near field communication (NFC) data between victim and attacker devices. NFC is a short-range wireless technology used for contactless payments in stores and also withdrawals at ATMs, when used alongside the user’s PIN.
Read more on ATM threats: Belgium Suffers First Jackpotting Attack
NGate prompts victims to enter information including banking customer ID, date of birth and their card’s PIN code. It also asks them to turn on NFC on their smartphones and instructs the victim to place their payment card next to the device until the malicious app recognizes the card, ESET said.
With the stolen NFC data and PIN to hand, the attacker is able to impersonate the victim at an ATM to withdraw cash. If it doesn’t work, the attacker still has the phished banking information to access the victim’s account and transfer funds, ESET claimed.
The same NGate malware could be used by malicious actors with physical proximity to ‘read’ contactless card data through unattended bags and the like. However, if this technique is used to copy and emulate victim cards, it would only facilitate small contactless payments, the report added.
How NGate Malware Works
The multi-stage attack works as follows:
- Attacker sends the victim a phishing link via SMS
- The victim unwittingly installs a malicious lookalike banking app, which asks the user to input banking information
- The malicious app sends phished banking credentials to the attacker’s server
- The attacker calls the victim impersonating a banking official, pretending there’s been a security incident and urging them to change their PIN and verify their card via the malicious app
- The attacker sends an SMS link to download the NGate malware
- NGate relays the victim’s PIN and NFC traffic from their payment card
“Ensuring protection from such complex attacks requires the use of certain proactive steps against tactics like phishing, social engineering, and Android malware,” explained ESET malware researcher, Lukáš Štefanko.
“This means checking URLs of websites, downloading apps from official stores, keeping PIN codes secret, using security apps on smartphones, turning off the NFC function when it is not needed, using protective cases, or using virtual cards protected by authentication.”
A Google spokesperson sent the following statement to Infosecurity: "Based on our current detections, no apps containing this malware are found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play."