Cybersecurity firm ESET has discovered a novel technique used by newly detected Android malware, known as NGate, to steal payment card data using an infected device’s NFC reader. The malware relays the stolen data to attackers, allowing them to clone the card and use it at ATMs or point-of-sale terminals.
The attack scenario begins with traditional phishing tactics, where attackers send SMS messages to potential victims, tricking them into installing NGate from short-lived domains impersonating banks or official mobile banking apps. The malware prompts users to enter their bank account credentials, PIN code, and turn on NFC to scan the card.
ESET researchers discovered NGate being used against three Czech banks starting in November 2022 and identified six separate NGate apps circulating between then and March of this year. Some of the apps were Progressive Web Apps (PWAs), which can be installed on both Android and iOS devices.
The attack sequence involves an attacker sending SMS messages to potential victims about a tax return, including a link to a phishing website impersonating banks. Once the victim installs the app and inserts their credentials, the attacker gains access to the victim’s account. The attacker then calls the victim, pretending to be a bank employee, and requests that they change their PIN and verify their banking card using NGate.
The researchers noted that NGate or similar apps could be used in other scenarios, such as cloning smart cards used for other purposes. The attack works by copying the unique ID of an NFC tag, allowing attackers to access premises or read data from a remote location.
ESET said it discovered NGate being used against three Czech banks starting in November and identified six separate NGate apps circulating between then and March of this year.
Source: https://arstechnica.com/security/2024/08/android-malware-uses-nfc-to-read-payment-card-data-then-sends-it-to-attacker/