Android malware steals payment card data using previously unknown technology

High angle shot of a woman inserting her bank card into an ATM in the city. Withdraw money, pay bills, check account balances and make a bank transfer. Data protection, internet and mobile banking security concept

Newly discovered Android malware steals payment card data using an infected device's NFC reader and forwards it to attackers. This novel technique effectively clones the card so it can be used at ATMs or point-of-sale terminals, security firm ESET said.

ESET researchers have named the malware NGate because it contains NFCGate, an open-source tool for recording, analyzing and modifying NFC traffic. NFC is short for Near-Field Communication and is a protocol that allows two devices to communicate wirelessly over short distances.

New Android attack scenario

“This is a new Android attack scenario and it is the first time we have seen Android malware with this capability in the wild,” said ESET researcher Lukas Stefanko in a video demonstrating the discovery. “NGate malware can relay NFC data from a victim's card through a compromised device to an attacker's smartphone, which can then emulate the card and withdraw money from an ATM.”

Lukas Stefanko – Expose NGate.

The malware was installed via traditional phishing scenarios, such as the attacker sending messages to victims and tricking them into installing NGate from ephemeral domains posing as banks or official mobile banking apps available on Google Play. NGate impersonates a legitimate app for the victim's bank and asks the user to enter the bank's customer ID, date of birth, and card PIN code. The app then asks the user to turn on NFC and scan the card.

ESET said it detected the use of NGate against three Czech banks starting in November, and identified six different NGate apps in circulation between then and March this year. Some of the apps deployed in later months of the campaign were PWAs, short for Progressive Web Apps, which, as reported on Thursday, can be installed on both Android and iOS devices even if settings (mandatory on iOS) prevent the installation of apps from unofficial sources.

The most likely reason for the end of the NGate campaign in March, according to ESET, was the arrest of a 22-year-old by Czech police who was allegedly wearing a mask while withdrawing money from ATMs in Prague. Investigators said the suspect had “developed a new method of extorting money from people” using a scheme that appears to be identical to that used by NGate.

Stefanko and his ESET colleague Jakub Osmani explained how the attack worked:

Czech police revealed that the attack scenario began with the attackers sending potential victims SMS messages about a tax return, including a link to a phishing website posing as a bank. These links most likely led to malicious PWAs. After the victim installed the app and entered their credentials, the attacker gained access to the victim's account. The attacker then called the victim and posed as a bank employee. The victim was informed that their account had been compromised, likely due to the earlier text message. The attacker was actually telling the truth – the victim's account was compromised, but that truth then led to another lie.

To “protect” their money, the victim was asked to change their PIN and verify their bank card using a mobile app – the NGate malware. A link to download NGate was sent via SMS. We suspect that in the NGate app, victims enter their old PIN to create a new one and place their card on the back of their smartphone to verify or apply the change.

Since the attacker already had access to the compromised account, he could change the withdrawal limits. If the NFC relay method didn't work, he could simply transfer the funds to another account. However, using NGate makes it easier for the attacker to access the victim's funds without leaving a trace to his own bank account. Figure 6 shows a diagram of the attack sequence.

Overview of the NGate attack.
Enlarge / Overview of the NGate attack.

ESET

The researchers said NGate or similar apps could also be used in other scenarios, such as cloning smart cards used for other purposes. The attack would work by copying the NFC tag's unique ID, abbreviated UID.

“During our tests, we were able to successfully relay the UID from a MIFARE Classic 1K tag, which is typically used for public transport tickets, ID cards, membership or student cards, and similar use cases,” the researchers wrote. “With NFCGate, it is possible to perform an NFC relay attack to read an NFC token in one location and access premises in another location in real time by emulating its UID, as shown in Figure 7.”

Figure 7. Android smartphone (right) that has read the UID of an external NFC token and forwarded it to another device (left).
Enlarge / Figure 7. Android smartphone (right) that has read the UID of an external NFC token and forwarded it to another device (left).

ESET

Cloning could occur in situations where the attacker has physical access to a card or is able to momentarily read a card in unattended purses, wallets, backpacks, or smartphone cases that contain cards. To perform and emulate such attacks, the attacker must have a rooted and customized Android device. Phones infected with NGate did not meet this requirement.

Leave a Reply