Cybersecurity experts have discovered a new Android malware, named NGate, designed to intercept contactless payment data from physical credit and debit cards and transmit it to an attacker-controlled device for fraudulent purposes.
The malware, being tracked by a Slovak cybersecurity firm, has been detected in a campaign targeting three banks in Czechia. Researchers Lukáš Štefanko and Jakub Osmani explained that NGate “has a distinct capability to relay payment card data from victims, via a malicious app installed on their Android devices, to an attacker’s rooted Android phone.”
This malware campaign, which began targeting financial institutions in Czechia in November 2023, utilizes malicious progressive web apps (PWAs) and WebAPKs. The first known deployment of NGate was observed in March 2024.
The primary aim of these attacks is to clone near-field communication (NFC) data from victims’ physical payment cards, allowing the attacker to transmit this data to their own device, which can then mimic the original card to withdraw funds from ATMs.
NGate is derived from a legitimate tool called NFCGate, initially developed for security research in 2015 by students at the Secure Mobile Networking Lab at TU Darmstadt.
The attack strategy is believed to combine social engineering tactics and SMS phishing to deceive users into installing NGate. This is achieved by directing them to short-lived websites that imitate legitimate banking portals or official mobile banking apps that appear to be available on the Google Play store.
To date, six different versions of NGate have been identified, used between November 2023 and March 2024. The campaign likely ceased following the arrest of a 22-year-old by Czech authorities for stealing ATM funds.
Beyond leveraging NFCGate’s functionality to capture and relay NFC traffic to another device, NGate also prompts users to provide sensitive information such as banking client IDs, birth dates, and banking card PINs. This phishing information is gathered through a page displayed in a WebView.
“The malware instructs users to enable the NFC feature on their smartphones,” the researchers noted. “Subsequently, victims are asked to place their payment card against their smartphone until the app reads the card.”
The attack becomes more deceptive as victims, having installed the PWA or WebAPK app via SMS links, are subjected to phishing attacks. They then receive calls from the attacker posing as a bank representative, falsely claiming their bank account is at risk due to the app installation.
Victims are further instructed to change their PIN and validate their banking card using another mobile app (NGate), for which an installation link is also sent through SMS. These apps have not been distributed via the Google Play Store.
Researchers stated, “NGate operates using two distinct servers. The first server is a phishing site that tricks victims into divulging sensitive information and can launch an NFC relay attack. The second server, an NFCGate relay server, is used to redirect NFC traffic from the victim’s device to the attacker’s.”
This revelation coincides with a report from Zscaler ThreatLabz on a new variant of the Android banking trojan, Copybara, spread through voice phishing (vishing) attacks, which lure victims into entering their bank details.
Ruchna Nigam stated, “This new Copybara variant has been active since November 2023, employing the MQTT protocol for communication with its command-and-control (C2) server.”
“The malware exploits Android’s accessibility services to gain detailed control over infected devices. It also downloads phishing pages that mimic popular cryptocurrency exchanges and financial institutions, using their logos and app names.”