Security researchers at ESET have discovered a novel Android malware campaign that utilizes near-field communication (NFC) technology to facilitate unauthorized cash withdrawals from victims' bank accounts.
The malware, dubbed NGate, represents a significant evolution in mobile banking threats, combining social engineering tactics with sophisticated technological exploitation.
The NGate malware campaign, which primarily targeted clients of three Czech banks between November 2023 and March 2024, employs a unique method of relaying NFC data from victims' payment cards through their compromised Android smartphones to the attacker's device.
This allows criminals to clone the victim's card data and make fraudulent ATM withdrawals or contactless payments.
According to ESET's findings, the attack begins with victims receiving SMS messages about potential tax returns, luring them to phishing websites impersonating legitimate banks.
Once installed, NGate displays a fake banking interface requesting sensitive information such as client IDs, birth dates, and PIN codes. It also instructs victims to enable NFC on their devices and place their payment cards against their phones, ostensibly to "verify" the card. In reality, this action allows the malware to capture and relay the card's NFC data to the attacker.
The sophistication of NGate lies in its ability to operate without requiring the victim's device to be rooted. However, the attacker's device must be rooted to emulate the received NFC traffic successfully. This technique enables criminals to bypass traditional security measures and carry out fraudulent transactions without physical possession of the victim's card.
ESET researchers note that this is the first observed instance of Android malware with such NFC relay capabilities being used in the wild.
The malware's core functionality is based on a modified version of NFCGate, a tool initially developed by students at the Technical University of Darmstadt for NFC research purposes.
The campaign's impact was significant, with Czech police arresting a 22-year-old suspect in March 2024. At the time of arrest, the individual possessed 160,000 Czech korunas (approximately €6,000 or US$6,500) stolen from just three victims, suggesting the total amount stolen could be substantially higher.
To protect against such attacks, security experts recommend several measures:
- Only download apps from official sources like the Google Play Store
- Verify website authenticity before entering sensitive information
- Keep payment card PINs confidential
- Use mobile security apps to detect and prevent malware installations
- Disable NFC when not in use
- Consider using RFID-blocking wallets or card protectors
- Opt for digital versions of payment cards with additional security features
While the NGate campaign appears to have been halted following the arrest, ESET researchers warn that similar techniques could potentially spread to other regions.
As cybercriminals continue to innovate, users must remain vigilant and adopt robust security practices to safeguard their financial information in an increasingly digital world.