NGate Mobile Malware
Cybersecurity researchers have identified a new Android malware capable of relaying victims' contactless payment data from physical credit and debit cards to a device controlled by attackers, enabling fraudulent transactions.
This malware, known as NGate, is primarily targeting three banks in the Czech Republic. NGate works by transferring payment card data from a victim's Android device, where a threatening application has been installed, to the attacker's rooted Android phone.
This operation is part of a broader campaign, active since November 2023, that targets financial institutions in Czechia through compromised progressive Web applications (PWAs) and WebAPKs. The first known instance of NGate was detected in March 2024.
Table of Contents
Threat Actors Try to Harvest Payment Card Details
The primary objective of these attacks is to clone near-field communication (NFC) data from victims' physical payment cards using NGate. The harvested information is then transmitted to an attacker-controlled device, which emulates the original card to withdraw money from an ATM.
NGate originated from a legitimate tool called NFCGate, initially developed in 2015 for security research purposes.
The attack strategy likely involves a mix of social engineering and SMS phishing, where users are deceived into installing NGate by being redirected to short-lived domains that mimic legitimate banking websites or official mobile banking apps on the Google Play store.
Several Threatening NGate Applications Uncovered
Between November 2023 and March 2024, six different NGate applications were identified before the activities were likely halted due to the arrest of a 22-year-old by Czech authorities in connection with ATM fund theft.
NGate not only exploits NFCGate's functionality to capture and relay NFC traffic to another device but also prompts users to enter sensitive financial information, such as their banking client ID, date of birth and card PIN. This phishing page is displayed within a WebView.
Additionally, the application instructs users to enable the NFC feature on their smartphones and to hold their payment card against the back of the device until the card is recognized by the malicious application.
Attackers Call Victims to Further Exploit Them
The attacks further adopt an insidious approach in that victims, after having installed the PWA or WebAPK app through links sent via SMS messages, have their credentials phished and subsequently receive calls from the threat actor, who pretends to be a bank employee and informs them that their bank account had been compromised as a result of installing the application.
They are subsequently instructed to change their PIN and validate their banking card using a different mobile application (i.e., NGate), an installation link to which is also sent through SMS. There is no evidence that these apps were distributed through the Google Play Store.
NGate uses two distinct servers to facilitate its operations. The first is a phishing website designed to lure victims into providing sensitive information and capable of initiating an NFC relay attack. The second is an NFCGate relay server tasked with redirecting NFC traffic from the victim's device to the attacker's.
