Recently discovered Android malware steals payment card details via an infected device’s NFC reader and forwards them to attackers. This new technique effectively clones the card so it can be used at ATMs or point-of-sale devices, security firm ESET reports.
ESET researchers named the malware NGate because it contains NFCGate, an open-source tool for capturing, analyzing or modifying NFC traffic. NFC stands for Near-Field Communication and is a protocol that allows two devices to communicate wirelessly over short distances.
New Android Attack Scenario
“This is a new Android attack scenario and it's the first time we've seen Android malware with this capability being used in the wild,” ESET researcher Lukas Stefanko said in a video demonstrating the discovery. “NGate malware can pass NFC data from a victim's card via a compromised device to an attacker's smartphone, who can then emulate the card and withdraw money from an ATM.”
The malware was deployed via traditional phishing scenarios, such as the attacker messaging the target and tricking them into installing NGate from ephemeral domains impersonating banks or official mobile banking apps available on Google Play. NGate, which poses as a legitimate app for the target’s bank, prompts the user to enter the bank’s client ID, date of birth, and the PIN associated with the card. The app then prompts the user to enable NFC and scan the card.
ESET said it discovered NGate being used against three Czech banks starting in November, and identified six separate NGate apps circulating between then and March of this year. Some of the apps used in later months of the campaign came in the form of PWAs, short for Progressive Web Apps, which, as reported on Thursday, can be installed on both Android and iOS devices, even if settings (mandatory on iOS) prevent the installation of apps available from unofficial sources.
The most likely reason the NGate campaign ended in March, ESET said, was the arrest by Czech police of a 22-year-old they said they caught wearing a mask while withdrawing money from ATMs in Prague. Investigators said the suspect had “devised a new way to extort money from people” using a scheme that sounds identical to the one used with NGate.
Stefanko and ESET researcher Jakub Osmani explained how the attack worked:
The announcement from the Czech police revealed that the attack scenario started with the attackers sending text messages to potential victims about a tax return, including a link to a phishing website posing as a bank. These links most likely led to malicious PWAs. After the victim installed the app and entered their credentials, the attacker gained access to the victim’s account. The attacker then called the victim, pretending to be a bank employee. The victim was informed that their account had been compromised, likely because of the earlier text message. The attacker was actually telling the truth: the victim’s account had been compromised, but this truth then led to another lie.
In order to ‘protect’ their money, victims were asked to change their PIN and verify their bank card with a mobile app: NGate malware. A link to download NGate was sent via SMS. We suspect that within the NGate app, victims entered their old PIN to create a new one and put their card on the back of their smartphone to verify or apply the change.
Since the attacker already had access to the compromised account, they could change the withdrawal limits. If the NFC relay method didn’t work, they could simply transfer the funds to another account. However, by using NGate, the attacker can more easily access the victim’s funds without leaving any traces to the attacker’s own bank account. A diagram of the attack sequence is shown in Figure 6.
The researchers said that NGate or similar apps could be used in other scenarios, such as cloning smart cards that are used for other purposes. The attack would work by copying the NFC tag's unique ID, abbreviated as UID.
“In our testing, we successfully relayed the UID of a MIFARE Classic 1K tag, which is typically used for public transportation tickets, ID badges, membership or student cards, and similar use cases,” the researchers wrote. “With NFCGate, it is possible to perform an NFC relay attack to read an NFC token in one location and gain real-time access to buildings in another location by emulating its UID, as shown in Figure 7.”
Cloning can all happen in situations where the attacker has physical access to a card or is able to briefly read a card in unattended handbags, wallets, backpacks, or smartphone cases with cards. To execute and emulate such attacks, the attacker must have a rooted and modified Android device. Phones infected by NGate did not have this requirement.