Recent research by cybersecurity firm ESET has revealed details about a new attack campaign targeting Android smartphone users.
The cyber attack is based on complex social engineering techniques and the use of new Android malware, allowing it to steal users’ Near Field Communication data and withdraw cash from NFC-enabled ATMs.
Threat actors continue to improve their techniques
As ESET notes, the threat actors initially exploited Progressive Web App technology, which allows for the installation of apps from any website outside of the Play Store, and is available on desktop Chromium-based browsers as well as supported browsers such as Firefox, Chrome, Edge, Opera, Safari, Orion and Samsung Internet Browser.
Accessed directly through the browser, PWAs are flexible and don’t usually suffer from compatibility issues. Once installed on your system, PWAs can be recognized by their icon, which features a small browser icon added to it.
Cybercriminals use PWAs to lure unsuspecting users to full-screen phishing websites where they harvest credentials and credit card information.
The threat actors involved in this campaign switched from PWAs to WebAPKs, a more advanced type of PWA. The difference is subtle: PWAs are apps built using web technologies, while WebAPKs use technology to integrate the PWA as a native Android application.
From an attacker’s perspective, using WebAPK makes it more stealthy as it doesn’t have a little browser icon on the icon.
The victim downloads and installs a standalone app from the phishing website, and the person does not request any additional permissions to install an app from a third-party website.
These fraudulent websites often mimic parts of the Google Play Store to confuse users and make them believe that the installation is coming from the Play Store, when in fact it is happening directly from the fraudulent website.
NGate malware
On March 6th, the same distribution domains used in the observed PWA and WebAPK phishing campaigns suddenly began spreading a new malware called NGate, which, once installed and executed on a victim’s phone, opens a fake website and requests the user’s banking information, which is then sent to the threat actor.
However, the malware also embeds a tool called NFCGate, which is a legitimate tool that can relay NFC data between two devices without the need to root the device.
Once users have provided their banking details, they are then prompted to enable the NFC feature on their smartphone and hold their credit card against the back of the phone until the app recognises the card.
Perfect social engineering
While enabling NFC in an app to recognize a payment card may seem suspicious at first, the social engineering techniques deployed by threat actors explain the scenario.
Cybercriminals send users SMS messages with links to phishing websites that mention tax returns and impersonate banking companies, directing them to malicious PWAs. Once the app is installed and run, it asks users for their banking credentials.
At this point, the threat actor calls the user, posing as the banking company. The victim is informed that their account has been compromised, possibly due to a previous SMS. The user is then asked to change their PIN and verify their bank card details using a mobile application to secure their bank account.
The user then receives a new SMS containing a link to the NGate malware application.
Once installed, the app asks users to enable NFC and to recognize their credit card by tapping it against the back of the phone, transmitting the data to the attacker in real time.
Monetizing stolen information
The information stolen by attackers enables them to carry out common frauds, such as withdrawing funds from your bank account or using your credit card information to make online purchases.
However, the NFC data stolen by cyber attackers could enable them to emulate the original credit card and withdraw cash from ATMs that use NFC, a previously unreported attack vector.
Attack Range
ESET research uncovered an attack in the Czech Republic, which exclusively targeted banking companies there.
A 22-year-old suspect was arrested in Prague with approximately 6,000 euros (6,500 USD) in his possession. Czech police say the money was stolen from three previous victims, suggesting the threat actor may have stolen even more money during this campaign.
However, as ESET researchers note, “the possibility of it spreading to other regions and countries cannot be ruled out.”
We expect to see more cybercriminals using similar techniques to steal money via NFC in the near future, especially as NFC becomes more and more popular among developers.
How to protect yourself from this threat
To avoid becoming a victim of this cyber attack, users should take note of the following:
- Verify the source of any applications you download and carefully examine the URL to ensure legitimacy.
- Avoid downloading software from sources other than official ones, such as the Google Play Store.
- Don’t give out your payment card PIN codes – banks will never ask you for this information.
- It uses digital versions of traditional physical cards: these virtual cards are stored securely on your device and can be protected by additional security measures such as biometric authentication.
- Install security software on your mobile device to detect malware and unwanted applications on your phone.
Users should disable NFC on their smartphones when not in use. This protects against further data theft. Attackers can read card data from handbags, wallets, and backpacks left unattended in public places. They can then use that data to make small contactless payments. Protective cases can also be used to create an effective barrier against unwanted scanning.
If the call is from a bank employee, if you have any suspicions, hang up and call your usual bank contact, preferably from a different phone.
Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.
