Cybersecurity researchers have discovered a new Android malware that can forward contactless payment data from victims’ physical credit and debit cards to an attacker-controlled device to conduct fraudulent activities.
The Slovak cybersecurity company tracks the new malware under the name NGate and said it had observed the crimeware campaign targeting three banks in the Czech Republic.
The malware “has the unique ability to forward data from victims’ payment cards to the attacker’s rooted Android phone via a malicious app installed on their Android devices,” researchers Lukáš Štefanko and Jakub Osmani explained in an analysis.
The activity is part of a broader campaign targeting financial institutions in the Czech Republic since November 2023, using malicious progressive web apps (PWAs) and WebAPKs. The first recorded use of NGate occurred in March 2024.
The ultimate goal of the attacks is to use NGate to clone Near Field Communication (NFC) data from victims’ physical payment cards and transmit the information to an attacker device, which then emulates the original card to withdraw money from an ATM.
NGate has its roots in a legitimate tool called NFCGate, which was originally developed in 2015 by students at the Secure Mobile Networking Lab at TU Darmstadt for security research purposes.
The attack chains are believed to involve a combination of social engineering and SMS phishing to trick users into installing NGate by redirecting them to ephemeral domains that mimic legitimate banking websites or official mobile banking apps available on the Google Play Store.
To date, no fewer than six different NGate apps have been identified between November 2023 and March 2024. The activities likely came to a halt following the arrest of a 22-year-old by Czech authorities in connection with the theft of funds from ATMs.
NGate not only abuses NFCGate’s functionality to intercept NFC traffic and forward it to another device, but also asks users to enter sensitive financial information, including bank customer ID, date of birth, and PIN code for their bank card. The phishing page is displayed in a WebView.
“They are also asked to turn on the NFC function of their smartphone,” the researchers said. “Then the victims are instructed to place their payment card on the back of their smartphone until the malicious app recognizes the card.”
The attacks also take an insidious approach: after victims install the PWA or WebAPK app via links sent via SMS, their credentials are phished and they then receive calls from the threat actor posing as a bank employee informing them that their bank account has been compromised by installing the app.
They are then asked to change their PIN and validate their bank card with another mobile app (e.g. NGate), the installation link of which is also sent via SMS. There is no evidence that these apps were distributed through the Google Play Store.
“NGate uses two different servers to facilitate its operations,” the researchers explained. “The first is a phishing website designed to trick victims into revealing sensitive information and which can initiate an NFC relay attack. The second is an NFCGate relay server designed to redirect NFC traffic from the victim’s device to the attacker’s.”
The disclosure came after Zscaler ThreatLabz described a new variant of a known Android banking Trojan called Copybara that is spread via voice phishing (vishing) attacks and tricks users into entering their bank account details.
“This new variant of Copybara has been active since November 2023 and uses the MQTT protocol to establish communication with its command-and-control server (C2),” said Ruchna Nigam.
“The malware abuses the accessibility feature built into Android devices to exert granular control over the infected device. In the background, the malware also downloads phishing pages that imitate popular cryptocurrency exchanges and financial institutions using their logos and application names.”
