In a concerning development for mobile security, cybersecurity researchers have identified a new strain of Android malware, dubbed NGate, which poses a significant threat to contactless payment systems. This sophisticated malware has the capability to intercept and relay payment data from victims' physical credit and debit cards to devices controlled by attackers, facilitating fraudulent transactions.
According to a report from a Slovak cybersecurity firm, the NGate malware has been linked to a targeted campaign against three banks in Czechia. Researchers Lukáš Štefanko and Jakub Osmani noted that this malware operates through a malicious application installed on victims' Android devices, allowing it to transmit sensitive payment information to an attacker’s rooted Android phone.
NGate's Origins and Methodology
The NGate malware is part of a larger scheme that has been active since November 2023, utilizing malicious progressive web apps (PWAs) and WebAPKs to infiltrate financial institutions. The first recorded instance of NGate appeared in March 2024, marking the beginning of a troubling trend in cybercrime.
The primary objective of these attacks is to clone near-field communication (NFC) data from victims' payment cards. Once the data is captured, it is sent to an attacker-controlled device, which can then mimic the original card to withdraw funds from ATMs. Interestingly, NGate is based on a legitimate tool called NFCGate, initially developed for security research by students at TU Darmstadt in 2015.
Social Engineering and Phishing Tactics
The attack methodology appears to involve a combination of social engineering tactics and SMS phishing. Victims are often misled into installing NGate through deceptive links that impersonate legitimate banking websites or mobile banking applications. Between November 2023 and March 2024, researchers identified six different NGate applications, which ceased operations following the arrest of a 22-year-old suspect by Czech authorities for ATM-related theft.
NGate not only exploits the NFCGate functionality to capture NFC traffic but also prompts users to input sensitive financial information, such as their banking client ID, date of birth, and PIN code. This phishing operation is conducted through a WebView interface, where victims are instructed to enable NFC on their smartphones and place their payment cards against the back of their devices for recognition.
Complexity and Deception
Adding to the complexity of the attacks, victims who have installed the malicious PWA or WebAPK are often contacted by individuals posing as bank employees. These impersonators inform victims that their accounts have been compromised due to the installation of the app, further manipulating them into changing their PINs and validating their banking cards through another malicious app, NGate, which is also distributed via SMS links. Notably, there is no evidence that these harmful applications were made available through the Google Play Store.
Researchers have detailed that NGate operates using two distinct servers: one serves as a phishing website designed to extract sensitive information and initiate NFC relay attacks, while the other functions as an NFCGate relay server, redirecting NFC traffic from victims’ devices to the attackers’ systems.
Related Threats
In a related note, Zscaler ThreatLabz has reported on a new variant of the Copybara Android banking trojan, which has been disseminated through voice phishing (vishing) attacks. This variant, active since November 2023, employs the MQTT protocol to communicate with its command-and-control server, leveraging the accessibility service feature inherent to Android devices.