NGate Android malware relays NFC traffic to steal cash

ESET researchers have identified a sophisticated crimeware campaign targeting clients of three Czech banks, utilizing a newly developed malware they named NGate. This malware is capable of relaying sensitive payment card data from victims’ Android devices directly to an attacker’s rooted phone, thereby facilitating unauthorized ATM withdrawals.

The campaign began in November 2023, characterized by a convergence of traditional cybercriminal techniques including social engineering, phishing, and Android malware. Victims were deceived into downloading malicious apps through enticing messages about tax returns. The delivery mechanism employed malicious Progressive Web Apps (PWAs) and their more advanced iterations, known as WebAPKs, which evolved into the deployment of NGate in March 2024.

NGate’s primary function is to clone the Near Field Communication (NFC) data from victims’ physical payment cards and transmit this data to the attacker’s device for emulation. Unlike previous Android malware, attackers did not require victims to root their devices. This advancement points to a concerning evolution in mobile cyber threats, indicating that attackers are refining their strategies to maximize effectiveness.

Victims typically encountered NGate after being tricked into believing they were interacting with their banks regarding account security. The malware is cleverly disguised as legitimate applications, and its onset often follows a successful entry via phishing tactics. Upon installing NGate, users are confronted with a fake website prompting sensitive financial data input, thereby compromising their security.

Notably, NGate employs a modified version of a tool called NFCGate, developed for capturing and manipulating NFC traffic. This exploitation allows attackers to capture the NFC data from physical payment cards, without requiring the victim’s device to be rooted. After obtaining the data, attackers can easily perform transactions at ATMs or transfer funds from the victim’s account to another account, with fallback strategies in place if initial attempts fail.

The crimeware operation saw its primary target—Czech banks—under attack from late November 2023 until early March 2024 when Czech authorities arrested a suspect tied to the scheme. This arrest is suspected to have temporarily halted the activities, although the potential for reemergence or expansion into other regions remains feasible, highlighting the evolving nature of such cyber threats.

The attackers’ use of PWAs and later WebAPKs reflects an increasing sophistication in their approach. Initial fraudulent apps were built using web technologies easily identifiable as malicious, which led to the more refined and native-like experience provided by WebAPKs. This evolution also enabled attackers to create deceptive applications that appeared indistinguishable from legitimate banking applications.

The attack began with phishing SMS messages leading victims to fraudulent websites, where they unwittingly provided their banking details before further instructions were imparted to download NGate under the guise of securing their funds. Here, the attackers exploited urgency created during the interaction, preserving a level of authenticity that effectively masked malicious intent.

In terms of technical architecture, NGate displays systematic characteristics across different samples, sharing a common package name and hardcoded phishing URLs, indicating coordinated development and deployment efforts. The malware operates without direct command and control, relying instead on the phishing website to execute functions such as initiating NFC data relay.

Preventative measures against such attacks underscore the importance of vigilance regarding phishing tactics, reliance on authenticated app sources, and maintaining confidentiality around sensitive information such as payment card PINs. Security solutions on mobile devices, alongside disabling unused NFC functions and utilizing RFID protection cases, can effectively mitigate risks posed by emerging threats such as NGate.

In conclusion, NGate represents a significant advancement in Android malware capabilities, demonstrating a calculated blend of social engineering, technological sophistication, and strategic malware deployment. Ongoing awareness and adaptive security practices are essential in countering the risks posed by such innovative crimeware campaigns. The case serves as a reminder of the dynamic cybersecurity landscape and the need for continued vigilance in safeguarding personal finance.