A new Android malware called NGate has been uncovered that uses a novel technique to steal payment card data through an infected device's NFC reader. This malware effectively clones cards, allowing them to be used fraudulently at ATMs or point-of-sale terminals.
How NGate Works
NGate incorporates an open source tool called NFCGate to capture and relay NFC traffic from a victim's card. When installed on a compromised Android device, it can transmit the captured card data to an attacker's smartphone. The attacker can then use their phone to emulate the victim's card and make unauthorized withdrawals or purchases.
Security researcher Lukas Stefanko from ESET noted this is the first time such capability has been observed in Android malware in the wild.
Distribution Methods
The malware was primarily spread through phishing tactics. Attackers would message potential victims and trick them into installing NGate from short-lived domains impersonating banks or official banking apps.
Once installed, NGate masquerades as a legitimate banking app and prompts users to enter sensitive information like their banking ID, date of birth, and PIN code. It then asks users to enable NFC and scan their card.
Campaign Details
ESET discovered NGate targeting three Czech banks starting in November. Six distinct NGate apps were identified between November and March. Some later versions were distributed as Progressive Web Apps (PWAs), which can be installed on both Android and iOS even with restrictions on non-official app sources.
The campaign appears to have ended in March, possibly due to the arrest of a 22-year-old suspect in Prague caught withdrawing money from ATMs using a similar scheme.
Broader Implications
While NGate specifically targeted payment cards, researchers warn that similar techniques could be used to clone other types of smart cards like public transport tickets, ID badges, or access cards. This highlights the potential for NFC relay attacks to compromise various systems relying on contactless technology.
To carry out such attacks, perpetrators would need brief physical access to a target's card or wallet. However, unlike the attacker's device, phones infected with NGate malware do not need to be rooted or customized.
As contactless payment and identification systems become more prevalent, users should remain vigilant about protecting their devices and cards from unauthorized NFC access.