Cybersecurity researchers have discovered new Android malware that can transfer victims’ contactless payment data from physical credit and debit cards to a device controlled by attackers to conduct fraudulent transactions.
A Slovak cybersecurity company is tracking a new malware called NGate, saying it has observed a malware campaign targeting three banks in the Czech Republic.
Researchers Łukasz Štefanka and Jakub Osmani the malware “has the unique ability to transmit data from victims’ payment cards via a malicious app installed on their Android devices to the attacker’s rooted phone. said in the analysis.
The activity is part of a the wider company Since November 2023, it has been found to target financial institutions in the Czech Republic using Progressive Web Applications (PWAs) and WebAPKs. The first recorded use of NGate was in March 2024.
The ultimate goal of the attacks is to clone Near Field Communication (NFC) data from victims’ physical payment cards using NGate and transmit the information to the attacker’s device, which then emulates the original card to withdraw money from an ATM.
NGate has its roots in a legitimate tool called NFC gatewaywhich was originally developed in 2015 for security research by students at the Secure Mobile Networks Laboratory at the Darmstadt Institute of Technology.
The attack chains are believed to involve a combination of social engineering and SMS phishing to trick users into installing NGate by directing users to ephemeral domains that mimic legitimate banking websites or official mobile banking apps available on the Google Play Store.
To date, six different NGate programs have been identified between November 2023 and March 2024, when activity ceased, likely after arrest 22-year-old young man by the Czech authorities in connection with the theft of funds from ATMs.
In addition to abusing NFCGate functionality to capture NFC traffic and transmit it to another device, NGate prompts users to enter sensitive financial information, including their bank customer ID, date of birth, and their bank card PIN. The phishing page is presented in a WebView.
“It also asks them to enable the NFC function on their smartphone,” the researchers said. “Victims are then instructed to place a payment card on the back of the smartphone until the malware recognizes the card.”
Attacks also use a sneaky approach where victims, after installing a PWA or WebAPK via links sent via SMS, have their credentials phished and then receive calls from a threat actor posing as a bank employee informing them that their bank account was hacked as a result of installing the program.
After that, they are prompted to change their PIN and verify their bank card using another mobile app (such as NGate), the installation link of which is also sent via SMS. There is no evidence that these apps were distributed through the Google Play Store.
“NGate uses two different servers to facilitate its operations,” the researchers explained. “The first is a phishing site designed to trick victims into providing sensitive information and is capable of initiating an NFC relay attack. The second is an NFCGate relay server tasked with redirecting NFC traffic from the victim’s device to the attacker’s device.”
The disclosure came as Zscaler ThreatLabz detailed a new variant of the notorious Android banking trojan called Capybara which is distributed through voice phishing (vishing) attacks and tempts them to enter their bank account credentials.
“This new variant of Copybara has been active since November 2023 and uses the MQTT protocol to communicate with its command and control (C2) server,” by Ruchna Nigam said.
“The malware abuses the accessibility service feature native to Android devices to exercise granular control over the infected device. In the background, the malware also downloads phishing pages impersonating popular cryptocurrency exchanges and financial institutions using their logos and app names.”
