A new malware for Android called NGate uses the NFC chip in smartphones to clone cards, allowing them to be used for payments and withdrawals. The attack goes beyond the technical part, involving a good dose of social engineering to get victims to download the infected app and provide the information necessary for transactions.
The information was shared by cybersecurity company Eset in a blog post published on Wednesday (August 22). According to the company, this is the first time an attack using NFC has been detected in this way. The criminals were operating in the Czech Republic (formerly known as the Czech Republic) — one of them was arrested in Prague, the country’s capital, after making several withdrawals in a row.
New Android malware – #NGate – relays NFC data from victims’ payment cards, via victims’ compromised mobile phones, to attacker's device waiting at an ATM to withdraw cashhttps://t.co/aM4v0lC6we pic.twitter.com/3MPRPe7qUB
— Lukas Stefanko (@LukasStefanko) August 22, 2024
The attack uses fake websites with malicious apps
According to researchers, a possible attack scenario begins with pre-recorded text messages and phone calls. The goal of this contact is to trick the victim into installing a malicious web application (PWA). The links provided lead to pages that imitate the Google Play Store and bank websites. The texts lead one to believe that an urgent update is necessary for the account holder’s security.
The first application installed does not ask for any permissions, as it can exploit the browser API to access the necessary hardware components. The second step is to install a component called NFCGate, developed by universities to test and experiment with NFC chips for study and research purposes.
To do this, the attackers once again resort to social engineering. A member of the gang calls the victim and pretends to be from the bank, informing the customer that there has been a security incident. The criminal sends a link to download NGate, which includes NFCGate. It is with this component that the criminals are able to obtain information from cards near the phone.
Scammers pretend to be from the bank to steal passwords
Eset considers several attack possibilities from this point on. In one of them, the criminal contacts a fake call center and asks the customer to change their password. Then comes the trick: the attackers ask the customer to enter the old password, then the new one, and then place the card near the device to record the change.
All of this actually serves to steal data and passwords. This information is transmitted to scammers, who can clone the proximity signal. Using another Android phone, they trick payment machines and ATMs.
The researchers are considering another possibility: stealing card data from bags, backpacks or wallets in public places with lots of people. This way, however, the thieves would not have the password and would only be able to make small payments.
Eset believes that the method employed using this malware would not work on cards stored on Google Pay and Apple Pay, as both require authentication for each payment using NFC.
Researchers recommend some actions to protect yourself from attacks like these:
- check the authenticity of websites;
- download apps only from official sources, such as the Play Store;
- keep passwords secret;
- turn off NFC when not in use;
- place cards in RFID-protected wallets;
- use digital versions of cards in smartphone wallets.
Source(s) Eset, Bleeping Computer