A new Android malware is designed to steal victims’ credit card information and transmit it to an attacker for ATM withdrawals.
A crimeware campaign running since March 2024 targeted customers of three Czech banks, according to ESET security researchers.
This involves the use of NGate, a new type of malware that the victim inadvertently downloads onto their device after a multi-stage phishing campaign.
Once installed and opened, NGate displays a fake website that requests the victim’s banking information, which is then sent to the attacker’s server.
However, the more interesting feature, called “NFCGate,” transmits Near Field Communication (NFC) data between the victim and attacker’s devices. NFC is a short-range wireless technology used for contactless payments in stores and, when combined with the user’s PIN, also for ATM withdrawals.
Read more about ATM threats: Belgium falls victim to the first jackpotting attack
NGate asks victims to enter information such as their bank customer ID, date of birth and their card’s PIN code. They are also asked to turn on NFC on their smartphones and hold their payment card next to the device until the malicious app recognizes the card, ESET said.
With the stolen NFC data and PIN, the attacker can impersonate the victim at an ATM and withdraw cash. If that doesn’t work, the attacker still has the stolen banking details to access the victim’s account and transfer money, ESET claims.
The same NGate malware could be used by malicious actors in physical proximity to “read” contactless card data through unattended bags and the like. However, if this technique is used to copy and emulate victim cards, it would only enable small contactless payments, the report added.
How the NGate malware works
The multi-stage attack works as follows:
- Attacker sends the victim a phishing link via SMS
- The victim inadvertently installs a malicious banking app that prompts the user to enter banking details
- The malicious app sends fake banking information to the attacker’s server
- The attacker calls the victim pretending to be a bank employee, claiming that there has been a security incident and asking the victim to change their PIN and verify their card via the malicious app.
- The attacker sends an SMS link to download the NGate malware
- NGate forwards the victim’s PIN and NFC traffic from their payment card
“To ensure protection against such complex attacks, certain proactive steps must be taken against tactics such as phishing, social engineering and Android malware,” explains Lukáš Štefanko, malware researcher at ESET.
“This includes checking URLs of websites, downloading apps from official stores, keeping PIN codes secret, using security apps on smartphones, turning off the NFC function when not needed, using protective cases or using virtual cards protected by authentication.”
