Introduction

On August 22, 2024, ESET Research revealed a sophisticated crimeware campaign targeting customers of three central Czech banks. The attack utilized advanced Android malware named NGate, which can relay near-field communication (NFC) data from victims' payment cards via compromised Android devices. This innovative method allowed attackers to mimic the original card and withdraw funds from ATMs without direct access to the victims' physical cards.

Report Overview

ESET researchers first observed the NGate malware in March 2024, following a series of phishing activities that had been ongoing in Czechia since November 2023. These attacks were part of a larger operation involving malicious progressive web apps (PWAs) and WebAPKs, which were used to deceive victims into downloading fake banking applications. ESET's Brand Intelligence Service identified these fraudulent apps, which ultimately led to the discovery of the NGate malware.

The NGate malware evolves from the threat actor's previous tactics, which involved using PWAs and WebAPKs to steal banking credentials. Unlike earlier methods, NGate leverages the NFCGate tool, initially developed by students at the Technical University of Darmstadt, Germany. NFCGate is typically used to capture and relay NFC traffic, but in the case of NGate, it is misused to transmit NFC data from the victim's card to the attacker's rooted Android device.

The attack sequence begins with victims receiving an SMS that lures them to download a malicious app under the guise of resolving a tax return issue. Once the app is installed, the attacker gains access to the victim's banking information through a phishing website embedded within the app. NGate then prompts the victim to enable the NFC feature on their phone and place their payment card against the device. The NFC data is relayed to the attacker's device, allowing them to emulate the victim's card and conduct unauthorized ATM withdrawals.

The consequences of this attack are severe, as victims' funds can be drained without their knowledge. The use of NFC technology in this manner is particularly concerning because it bypasses traditional security measures, such as the need for physical card access or the card's PIN. The Czech police have arrested a suspect involved in these activities and recovered approximately 160,000 Czech korunas (over 6,000 euros) from just three victims, suggesting the total amount stolen could be significantly higher.

Insights and Analysis

ESET researchers have highlighted the novelty of this attack, marking it as the first known instance of Android malware relaying NFC data for financial theft. The method's sophistication indicates a potential for similar attacks to spread beyond Czechia, as the technique could be adapted to target victims in other regions.

To protect against such advanced threats, users are advised to:

• Verify the authenticity of websites and applications before entering sensitive information.
• Download apps exclusively from official sources like the Google Play store.
• Keep NFC functionality disabled when not in use, and consider using RFID-blocking protectors for payment cards.
• Employ security apps that detect and block malware, like NGate, before it compromises the device.

The discovery of NGate malware adds to the evolving landscape of cyber threats, where attackers continuously refine their techniques to exploit emerging technologies.

Indicators of Compromise (IOCs)

MITRE ATT&CK Techniques

References

NGate Android malware relays NFC traffic to steal cash

ESET Research uncovers Android malware that relays NFC data from victims’ payment cards, via victims’ mobile phones, to the device of a perpetrator waiting at an ATM.

.cls-1{fill:#0b8690;}.cls-2{fill:#053b44;}Lukas Stefanko