Close Menu
Indo Guard OnlineIndo Guard Online
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
What's Hot

Rare Werewolf APT uses legitimate software in attacks on hundreds of Russian enterprises

June 10, 2025

CISA adds flaws of Erlang SSH and RoundCube to famous exploited directory vulnerabilities

June 10, 2025

More than 70 organizations in several sectors aimed at Chinese Cyber ​​Spying Group

June 9, 2025
Facebook X (Twitter) Instagram
Facebook X (Twitter) Instagram YouTube
Indo Guard OnlineIndo Guard Online
Subscribe
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
Indo Guard OnlineIndo Guard Online
Home » New Android malware NGate steals NFC data to clone contactless payment cards
Global Security

New Android malware NGate steals NFC data to clone contactless payment cards

AdminBy AdminAugust 26, 2024No Comments4 Mins Read
Clone Contactless Payment Cards
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link


August 26, 2024Ravi LakshmananFinancial Fraud / Mobile Security

Cloning of contactless payment cards

Cybersecurity researchers have discovered new Android malware that can transfer victims’ contactless payment data from physical credit and debit cards to a device controlled by attackers to conduct fraudulent transactions.

A Slovak cybersecurity company is tracking a new malware called NGate, saying it has observed a malware campaign targeting three banks in the Czech Republic.

Researchers Łukasz Štefanka and Jakub Osmani the malware “has the unique ability to transmit data from victims’ payment cards via a malicious app installed on their Android devices to the attacker’s rooted phone. said in the analysis.

The activity is part of a the wider company Since November 2023, it has been found to target financial institutions in the Czech Republic using Progressive Web Applications (PWAs) and WebAPKs. The first recorded use of NGate was in March 2024.

Cyber ​​security

The ultimate goal of the attacks is to clone Near Field Communication (NFC) data from victims’ physical payment cards using NGate and transmit the information to the attacker’s device, which then emulates the original card to withdraw money from an ATM.

NGate has its roots in a legitimate tool called NFC gatewaywhich was originally developed in 2015 for security research by students at the Secure Mobile Networks Laboratory at the Darmstadt Institute of Technology.

Cloning of contactless payment cards

The attack chains are believed to involve a combination of social engineering and SMS phishing to trick users into installing NGate by directing users to ephemeral domains that mimic legitimate banking websites or official mobile banking apps available on the Google Play Store.

To date, six different NGate programs have been identified between November 2023 and March 2024, when activity ceased, likely after arrest 22-year-old young man by the Czech authorities in connection with the theft of funds from ATMs.

In addition to abusing NFCGate functionality to capture NFC traffic and transmit it to another device, NGate prompts users to enter sensitive financial information, including their bank customer ID, date of birth, and their bank card PIN. The phishing page is presented in a WebView.

“It also asks them to enable the NFC function on their smartphone,” the researchers said. “Victims are then instructed to place a payment card on the back of the smartphone until the malware recognizes the card.”

NGate Android Malware

Attacks also use a sneaky approach where victims, after installing a PWA or WebAPK via links sent via SMS, have their credentials phished and then receive calls from a threat actor posing as a bank employee informing them that their bank account was hacked as a result of installing the program.

After that, they are prompted to change their PIN and verify their bank card using another mobile app (such as NGate), the installation link of which is also sent via SMS. There is no evidence that these apps were distributed through the Google Play Store.

Cyber ​​security

“NGate uses two different servers to facilitate its operations,” the researchers explained. “The first is a phishing site designed to trick victims into providing sensitive information and is capable of initiating an NFC relay attack. The second is an NFCGate relay server tasked with redirecting NFC traffic from the victim’s device to the attacker’s device.”

The disclosure came as Zscaler ThreatLabz detailed a new variant of the notorious Android banking trojan called Capybara which is distributed through voice phishing (vishing) attacks and tempts them to enter their bank account credentials.

“This new variant of Copybara has been active since November 2023 and uses the MQTT protocol to communicate with its command and control (C2) server,” by Ruchna Nigam said.

“The malware abuses the accessibility service feature native to Android devices to exercise granular control over the infected device. In the background, the malware also downloads phishing pages impersonating popular cryptocurrency exchanges and financial institutions using their logos and app names.”

Did you find this article interesting? Follow us Twitter  and LinkedIn to read more exclusive content we publish.





Source link

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Admin
  • Website

Related Posts

Rare Werewolf APT uses legitimate software in attacks on hundreds of Russian enterprises

June 10, 2025

CISA adds flaws of Erlang SSH and RoundCube to famous exploited directory vulnerabilities

June 10, 2025

More than 70 organizations in several sectors aimed at Chinese Cyber ​​Spying Group

June 9, 2025

Two different botnets exploit the vulnerability of the WAZUH server to launch attacks based on peaceful

June 9, 2025

Think what your IDP or CASB covers the shadow? These 5 risks prove differently

June 9, 2025

Openai prohibits chatgpt accounts used by Russian, Iranian and Chinese hacking groups

June 9, 2025
Add A Comment
Leave A Reply Cancel Reply

Loading poll ...
Coming Soon
Do You Like Our Website
: {{ tsp_total }}

Subscribe to Updates

Get the latest security news from Indoguardonline.com

Latest Posts

Rare Werewolf APT uses legitimate software in attacks on hundreds of Russian enterprises

June 10, 2025

CISA adds flaws of Erlang SSH and RoundCube to famous exploited directory vulnerabilities

June 10, 2025

More than 70 organizations in several sectors aimed at Chinese Cyber ​​Spying Group

June 9, 2025

Two different botnets exploit the vulnerability of the WAZUH server to launch attacks based on peaceful

June 9, 2025

Think what your IDP or CASB covers the shadow? These 5 risks prove differently

June 9, 2025

Openai prohibits chatgpt accounts used by Russian, Iranian and Chinese hacking groups

June 9, 2025

Operation malicious network supply software gets to NPM and Pypi ecosystems, focusing on millions worldwide

June 8, 2025

Extension of the malicious browser has infected 722 users across Latin America since the beginning of 2025

June 8, 2025
About Us
About Us

Provide a constantly updating feed of the latest security news and developments specific to Indonesia.

Facebook X (Twitter) Pinterest YouTube WhatsApp
Our Picks

Rare Werewolf APT uses legitimate software in attacks on hundreds of Russian enterprises

June 10, 2025

CISA adds flaws of Erlang SSH and RoundCube to famous exploited directory vulnerabilities

June 10, 2025

More than 70 organizations in several sectors aimed at Chinese Cyber ​​Spying Group

June 9, 2025
Most Popular

In Indonesia, crippling immigration ransomware breach sparks privacy crisis

July 6, 2024

Why Indonesia’s Data Breach Crisis Calls for Better Security

July 6, 2024

Indonesia’s plan to integrate 27,000 govt apps in one platform welcomed but data security concerns linger

July 6, 2024
© 2025 indoguardonline.com
  • Home
  • About us
  • Contact us
  • Privacy Policy

Type above and press Enter to search. Press Esc to cancel.