Cybersecurity researchers have discovered new Android malware that can relay victims’ contactless payment data from their physical credit or debit cards to devices controlled by the attacker, enabling them to carry out fraudulent activities.
A Slovakian cybersecurity firm is tracking the new malware as NGate and says it has observed crimeware attacks targeting three Czech banks.
The malware “has the unique functionality of relaying the victim’s payment card data to the attacker’s rooted Android smartphone via a malicious app installed on the victim’s Android device,” researchers Lukasz Štefanko and Jakub Osmani wrote in their analysis.
This activity is part of a broader campaign that has been found targeting Czech financial institutions using malicious Progressive Web Apps (PWAs) and WebAPKs since November 2023. Use of NGate was first recorded in March 2024.
The ultimate goal of the attack is to use NGate to clone Near Field Communication (NFC) data from the victim’s physical payment card and send that information to the attacker’s device to emulate the original card and withdraw cash from an ATM.
NGate has its roots in a legitimate tool called NFCGate, which was originally developed for security research purposes in 2015 by students from the Secure Mobile Networking Lab at TU Darmstadt.
The attack chain is believed to combine social engineering and SMS phishing to trick users into installing NGate by directing them to ephemeral domains impersonating legitimate banking websites or official mobile banking apps available on the Google Play Store.
Up to six different NGate apps have been identified between November 2023 and March 2024, but activity appears to have been halted following the arrest of a 22-year-old man by Czech authorities in connection with the theft of funds from ATMs.
NGate exploits the capabilities of NFCGate to capture NFC traffic and pass it on to another device, as well as prompting the user to enter sensitive financial information such as bank client ID, date of birth, bank card PIN code, etc. The phishing page is displayed within a WebView.
“It also requests that the smartphone’s NFC function be turned on,” the researchers said. “Victims are then instructed to place their payment card on the back of the smartphone until the malicious app recognizes the card.”
Moreover, the attacks employ a sophisticated technique whereby victims are phished for their credentials after installing a PWA or WebAPK app through a link sent via SMS message, after which they receive a call from the threat actor posing as a bank employee informing them that their bank account has been compromised as a result of installing the app.
They are then instructed to change their PIN and authenticate their bank card using another mobile app (such as NGate), the installation link for which is also sent via SMS, and there is no evidence that these apps were distributed through the Google Play Store.
“NGate uses two different servers to facilitate its activities,” the researchers explain. “The first is a phishing website designed to lure victims into providing sensitive information so that an NFC relay attack can be launched. The second is the NFCGate relay server, responsible for redirecting NFC traffic from the victim’s device to the attacker’s device.”
The revelation comes after Zscaler ThreatLabz detailed a new variant of the well-known Android banking Trojan Copybara, which spreads via voice phishing (vishing) attacks to trick users into entering their bank account credentials.
“This new variant of Copybara has been active since November 2023 and is utilizing the MQTT protocol to establish communication with its command and control (C2) servers,” Rukna Nigam said.
“The malware exploits the Accessibility Service feature native to Android devices to gain granular control over the infected device. In the background, the malware also downloads phishing pages that mimic the logos and application names of popular cryptocurrency exchanges and financial institutions.”
