New Android Malware NGate Steals NFC Data to Clone Contactless Payment Cards
Cybersecurity researchers have uncovered new Android malware that can relay victims’ contactless payment data from physical credit and debit cards to an attacker-controlled device with the goal of conducting fraudulent operations.
The Slovak cybersecurity company is tracking the novel malware as NGate, stating it observed the crimeware campaign targeting three banks in Czechia.
The malware “has the unique ability to relay data from victims’ payment cards, via a malicious app installed on their Android devices, to the attacker’s rooted Android phone,” researchers Lukáš Štefanko and Jakub Osmani said in an analysis.
The activity is part of a broader campaign that has been found to target financial institutions in Czechia since November 2023 using malicious progressive web apps (PWAs) and WebAPKs. The first recorded use of NGate was in March 2024.
The end goal of the attacks is to clone near-field communication (NFC) data from victims’ physical payment cards using NGate and transmit the information to an attacker device that then emulates the original card to withdraw money from an ATM.
NGate has its roots in a legitimate tool named NFCGate, which was originally developed in 2015 for security research purposes by students of the Secure Mobile Networking Lab at TU Darmstadt.
The attack chains are believed to involve a combination of social engineering and SMS phishing to trick users into installing NGate by directing users to short-lived domains impersonating legitimate banking websites or official mobile banking apps available on the Google Play store.
As many as six different NGate apps have been identified to date between November 2023 and March 2024, when the activities came to a halt likely following the arrest of a 22-year-old by Czech authorities in connection with stealing funds from ATMs.
NGate, besides abusing the functionality of NFCGate to capture NFC traffic and pass it along to another device, prompts users to enter sensitive financial information, including banking client ID, date of birth, and the PIN code for their banking card. The phishing page is presented within a WebView.
“It also asks them to turn on the NFC feature on their smartphone,” the researchers said. “Then, victims are instructed to place their payment card at the back of their smartphone until the malicious app recognizes the card.”
The attacks further adopt an insidious approach in that victims, after having installed the PWA or WebAPK app through links sent via SMS messages, have their credentials phished and subsequently receive calls from the threat actor, who pretends to be a bank employee and informs them that their bank account had been compromised as a result of installing the app.
They are subsequently instructed to change their PIN and validate their banking card using a different mobile app (i.e., NGate), an installation link to which is also sent through SMS. There is no evidence that these apps were distributed through the Google Play Store.
In a statement shared with The Hacker News, Google confirmed that it not did not find any app containing the malware on the official Android marketplace. The company also said users are automatically protected against known versions of NGate by Google Play Protect, which is enabled by default on Android devices with Google Play Services, even when the apps are downloaded from third-party sources.
“NGate uses two distinct servers to facilitate its operations,” the researchers explained. “The first is a phishing website designed to lure victims into providing sensitive information and capable of initiating an NFC relay attack. The second is an NFCGate relay server tasked with redirecting NFC traffic from the victim’s device to the attacker’s.”
The disclosure comes as Zscaler ThreatLabz detailed a new variant of a known Android banking trojan called Copybara that’s propagated via voice phishing (vishing) attacks and lures them into entering their bank account credentials.
“This new variant of Copybara has been active since November 2023, and utilizes the MQTT protocol to establish communication with its command-and-control (C2) server,” Ruchna Nigam said.
“The malware abuses the accessibility service feature that is native to Android devices to exert granular control over the infected device. In the background, the malware also proceeds to download phishing pages that imitate popular cryptocurrency exchanges and financial institutions with the use of their logos and application names.”
(The story was updated after publication to include a response from Google.)