ESET Research has identified a novel form of Android malware known as NGate, which has been utilised to carry out sophisticated attacks on customers of three Czech banks. This malware uniquely captures and relays NFC traffic, enabling attackers to withdraw cash from ATMs by cloning the data from victims’ payment cards.
Detailed operation of NGate
NGate infiltrates Android devices through a malicious app that deceives users into believing they are responding to legitimate security concerns from their bank. Once installed, it enables criminals to capture NFC data from the victim’s payment card and transmit it to an attacker-controlled device. This setup allows the replication of the victim’s card, facilitating cash withdrawals from ATMs without the need for physical access to the card or rooting the victim’s device.
Lukáš Štefanko of ESET elucidated the operation, saying, “We haven’t seen this novel NFC relay technique in any previously discovered Android malware. The technique is based on a tool called NFCGate, designed by students at the Technical University of Darmstadt, Germany, to capture, analyse, or alter NFC traffic; therefore, we named this new malware family NGate.”
Victims were duped into installing NGate via deceptive SMS messages that falsely alerted them about a compromised device due to a tax issue and urged them to install a linked application. Crucially, NGate was never available on the official Google Play store.
Prevention and implications
The malware campaign began in November 2023 and involved domains impersonating legitimate banking platforms. It was part of a broader phishing strategy that included using progressive web apps and WebAPKs to distribute malicious content. By March 2024, following the arrest of a suspect linked to these activities, the spread of NGate had been curtailed.
ESET Research advises the public to adopt proactive security measures to mitigate the risk of such advanced threats. Ensuring security involves checking website URLs, downloading apps only from trusted sources, keeping PIN codes secret, using security apps on smartphones, turning off NFC when not in use, employing protective cases, and opting for virtual cards that require authentication.
