In a campaign uncovered over the past nine months, a type of malware designed for Android devices was used by cybercriminals to rob three Czech banks.
Researchers at Slovakia-based cybersecurity company ESET named the malware NGate and explained that it was used by cybercriminals as part of a larger series of attacks in which hackers set up malicious banking applications that were nearly identical to legitimate European applications to steal user data in a sophisticated phishing scheme.
But Lukáš Štefanko, the discoverer of the new threat and technique, explained that the malware used in the attacks on Czech victims stood out because it was able to access a person’s payment cards via a malicious app installed on the victim’s Android device.
According to Štefanko, the hackers found a way to forward Near Field Communication (NFC) data from the victims’ physical payment cards to the attacker’s device via their compromised Android smartphones.
From there, the hackers used the stolen data to make transactions at the ATM. In case that failed, the hackers had a contingency plan where they simply transferred money from the victim’s bank account to other accounts.
“We have not seen this novel NFC relay technique in any previously discovered Android malware,” said Štefanko.
“Insert your card here”
The cybercriminals behind the campaign were able to convince victims to download the malicious app by sending them phishing messages that purported to be from the person’s bank. The messages claimed that their device was compromised and that victims needed to download an app to fix the problem – inadvertently infecting their device in the process.
The app was never available on the official Google Play Store and most victims downloaded the app via a link sent via SMS. The malware was distributed via domains that looked like bank websites or official mobile banking apps.
Once installed, NGate displays a fake website that asks the victim to enter banking information such as customer IDs, dates of birth, PIN codes, and more.
The app also asks victims to turn on their device’s NFC function and place their payment card on the back of their smartphone until the malicious app registers the card.
The hackers then use the NFCGate tool, which is designed to forward NFC data between two devices, to steal the card information.
ESET researchers have been tracking the activities of the actors behind the campaign since November 2023 and found that they were operating in the Czech Republic. They observed the group specifically targeting the customers of prominent Czech banks in November.
They pointed out that the group had suspended its activities for a period of time following the alleged arrest of an unnamed member in March 2024.
However, ESET added that this is the first time they have seen Android malware with this capability in the wild.
Štefanko urged people to be more cautious online, checking website URLs before doing anything, keeping PIN numbers safe and turning off the NFC feature when not needed. He also suggested using virtual cards, which give people temporary card information they can enter on websites.
Recorded future
Intelligence Cloud.
Learn more.
