Cybercriminals have reportedly found a way to steal from smartphone users by exfiltrating data read from their device’s Near Field Communications (NFC) chip.
The scam was uncovered by cybersecurity researchers at ESET, who said it involves progressive web apps (PWA), advanced WebAPKs and significant social engineering in a multi-stage approach that requires a bit of naivety from the victim.
But it’s not just about stealing money. NFC technology is also used by many other services – including access cards, transport tickets and more. This can put victims at great risk.
Enter NGate
It all starts with a text message or automated call to the victim, in which the scammers pretend to be their bank and urge them to install a malicious PWA or a WebAPK, claiming that these are important updates. Since these apps do not work in the same way as classic apps, they do not require the same permissions. Instead, they gain the necessary access by abusing the browser’s API.
Once this part is done, the scammers call the victim, pretending to be a bank employee and warning them of a security incident. The only way to secure their money, the scammers explain, is to download an app that verifies the payment card and – more importantly – the PIN number.
The app is NGate, a malware that can capture NFC data from payment cards near the infected device and then send it to the attackers either directly or through a proxy. This is done via an open-source component called NFCGate, a research project that enables on-device capture, forwarding, replay and cloning capabilities.
Of course, once the victim shares their PIN number, it’s usually game over. The fraudsters would use the data to clone the card on their smartphones and either make cash withdrawals at ATMs or make purchases at POS endpoints.
Commenting on the findings, Google told the publication that Google Play Protect, Android’s default security tool, detects this malware.
“Based on our current findings, no apps containing this malware were found on Google Play.
In general, Google does a good job of keeping its mobile app repository clean, and the majority of fake and malicious apps are usually hosted elsewhere on the internet, so the best way to stay safe is to download Android apps only from reputable sources.
Over PiepComputer