Newly discovered Android malware uses an infected device’s NFC reader to steal payment card data and relay it to attackers, effectively cloning cards for use at ATMs and point-of-sale terminals, according to security firm ESET.
ESET researchers named the malware NGate because it incorporates NFCGate, an open source tool for capturing, analyzing or modifying NFC traffic. NFC stands for Near Field Communication, a protocol that allows two devices to communicate wirelessly over short distances.
New Android attack scenarios
“This is a new Android attack scenario and the first time we’ve seen Android malware with this functionality in the wild,” ESET researcher Lukas Štefanko said in a video explaining the discovery. “The NGate malware relays NFC data from the victim’s card via the compromised device to the attacker’s smartphone, allowing the smartphone to emulate the card and withdraw cash from an ATM.”
Lukas Stefanko — Unmasking NGate.
The malware was installed through traditional phishing scenarios, where attackers sent messages to targets enticing them to install NGate from ephemeral domains impersonating official mobile banking apps available from banks or Google Play. NGate poses as a legitimate app from the target’s bank and asks the user to enter their bank client ID, date of birth, and the PIN code corresponding to their card. The app then asks the user to turn on NFC and scan the card.
ESET said it discovered NGate being used against three Czech banks starting in November, and identified six NGate apps in circulation between then and March of this year. Some of the apps used later in the campaign came in the form of PWAs, short for Progressive Web Apps, and could be installed on both Android and iOS devices, even if settings (mandatory on iOS) prevent the installation of apps available from unofficial sources, according to Thursday’s report.
According to ESET, the most likely reason why NGate attacks died down in March was the arrest by Czech police of a 22-year-old masked man who was seen withdrawing cash from an ATM in Prague. Investigators said the suspect “devised a new way to scam people out of their money” using a method very similar to those associated with NGate.
Štefanko and ESET researcher Jakub Osmani explained how the attack works:
According to the Czech police statement, the attack scenario started with the attacker sending potential victims SMS messages about tax returns. The messages contained links to phishing sites posing as banks. These links likely led to malicious PWAs. Once the victim installed the app and entered their credentials, the attacker gained access to the victim’s account. The attacker then called the victim, posing as a bank employee. The victim was informed that their account had been compromised, possibly due to a previous text message. The attacker was actually telling the truth: the victim’s account had been compromised, but this truth then led to another lie.
To “protect” their funds, victims were asked to change their PIN and authenticate their bank card using a mobile app (NGate malware). A link to download NGate was sent via SMS. Within the NGate app, victims would enter their old PIN and create a new PIN, then place their card on the back of their smartphone to authenticate or apply the change.
Because the attacker already had access to the compromised account, he was able to change the withdrawal limit. If the NFC relay method didn’t work, he could simply transfer the funds to another account. However, NGate allows the attacker to easily access the victim’s funds without leaving any traces in his own bank account. A diagram of the attack sequence is shown in Figure 6.
Enlarge / Overview of NGate attacks.
ESET
The researchers say NGate and similar apps could also be used in other scenarios, such as cloning smart cards used for other purposes. The attack is carried out by copying the NFC tag’s unique ID (abbreviated as UID).
“During testing, we successfully relayed the UID from a MIFARE Classic 1K tag, which is commonly used in public transport tickets, ID badges, membership and student cards, and similar use cases,” the researchers wrote. “Using NFCGate, we can perform an NFC relay attack to read an NFC token in one location and then emulate its UID to gain real-time access to facilities in another location, as shown in Figure 7.”
Enlarge / Figure 7. An Android smartphone (right) reading the UID of an external NFC token and relaying it to another device (left).
ESET
Cloning can occur if an attacker has physical access to the card, or is able to briefly read the card inside an unattended purse, wallet, backpack, or smartphone case that the card is in. To carry out and emulate such an attack, an attacker would need to have a rooted and customized Android device. The phones infected with NGate did not have this requirement.