A dangerous new type of Android malware has surfaced that clones contactless payment data from physical credit and debit cards and forwards it to an attacker’s Android device to enable fraudulent transactions.ESET researchers are tracking the malware, called NGate, which they described this week as the first of its kind they’ve observed in the wild.
>>>>>>>>>>>>Sony SNYSHD4 – Battery SNYSHD4 5000mAh
Leveraging a Legit Tool
NGate is actually based on NFCgate, a tool that students at Germany’s University of Darmstadt developed to capture, analyze, and alter near-field communication (NFC) traffic. NFC is what allows devices — such as smartphones — to communicate wirelessly with each other over short distances.
The university students have described NFCgate as a legitimate research tool for reverse-engineering protocols or for assessing protocol security in different traffic conditions.
Among other things, NFCgate can capture NFC traffic that applications running on an Android phone might send or receive; relay NFC traffic between two devices via a server; replay captured NFC traffic; and clone identification and other initial tag information. “I believe it’s for research purposes to demonstrate it is possible to extend the distance of NFC contactless communication — that is only up to 5 to 10 centimeters — by using Android phones,” says Lukas Stefanko, ESET’s senior malware researcher.
ESET observed a threat actor leveraging NFCGate’s capability in combination with phishing and social engineering lures to try and steal cash from victim bank accounts via fraudulent ATM transactions.
Sneaky Scam
The scam involves threatening actors, possibly a 22-year-old recently arrested by Czech authorities, sending text messages about tax issues to potential victims in the Czech Republic. Those who click on the link eventually receive a Progressive Web Application (PWA) or Web APK (Android package) that phishes for their banking credentials and sends them to the attackers. Attackers have long used similar apps to get users to divulge their banking information.
Threat actors then call potential victims, pretending to be bank employees, to notify them of security incidents regarding their accounts and ask them to change their PINs and verify their cards. Victims who fall for the social engineering ruse receive a link to download NGate, which then performs a series of steps to enable fraudulent ATM withdrawals. ESET says, “Once installed and opened, NGate displays a fake website that asks the user to enter their banking information, which is then sent to the attacker’s server.”
The malware prompts the victim to enter the bank’s customer ID, date of birth, card PIN and other sensitive information.ESET said it also asks the victim to enable NFC on the smartphone and place the payment card on the back of the smartphone until the malicious application recognizes the card. At this point, NGate captures NFC data from the victim’s card and sends it through a server to the attacker’s Android device.
The attacker’s Android phone would need to be rooted, or compromised at the kernel level, for it to be able to use the relayed data. The NFC data allows the attacker to essentially clone the victim’s card on their smartphone and use it to make payments and withdraw money from ATMs that support the NFC feature.
If this method failed, the attacker’s fallback was to use the bank account data the victim had already provided to transfer funds from the victim’s account to other banks, ESET said. Stefanko says the attacker would have been able to steal funds from a victim account without NGate, using just the banking credentials they might have managed to obtain from a victim. But it would have been a bit more complicated, since they would need to first transfer money to their account and use a mule to withdraw the money from an ATM.
Since NGate enables fraudulent ATM withdrawals, an attacker would have been able to steal from a victim’s account without leaving a trail back to their own accounts.
Prevention
Ensuring safety from such complex attacks requires the use of certain protective steps against tactics like phishing, social engineering, and Android malware. These steps include:
- Checking the website’s authenticity. This can be done by looking at the URL to make sure the website isn’t a fake version of a genuine one.
- Only downloading apps from official sources, such as the Google Play store. This precaution significantly reduces the risk of unknowingly installing harmful software.
- Keeping payment card PIN codes secret. This important information should be kept safe at all times.
- Using security apps on mobile devices that can stop potentially unwanted software and malware, like NGate, from being downloaded and installed. These security apps add an extra layer of defense by continuously scanning and monitoring for threats.
- Turning off the NFC function on devices when it’s not needed. This step helps to prevent any unauthorized access or data transfer via NFC.
- Using protective cases or protectors for radio frequency identification (RFID) cards. By creating a barrier that blocks unwanted RFID scans, these can stop anyone from stealing NFC data from the card.
- Using digital versions of physical cards on smartphones. These virtual cards are stored securely on the device and can be protected by additional security measures, such as biometric authentication, making them a safer and more convenient alternative to traditional plastic cards.
>>>>>>>>>>Sony USATIA289AFN2 – Battery USATIA289AFN2 2700mAh