An unprecedented method New Android malware steals your card data while using NFC
An unprecedented method of stealing banking credentials using Android smartphones is ringing alarm bells once again, reminding us of the importance of not downloading fraudulent applications from the Internet or via links.
Cybersecurity firm ESET has discovered a new form of fraud where an attacker obtains victims' credit card data using the NFC chip in their smartphones.
NFC is what allows you to use your mobile phone to pay in stores, for example using Google Play, as well as to recharge your transport card, etc. With this method, which the company describes as "innovative", the typical phishing tactic is mixed with the use of a new program, which ESET has called "NGate", to access NFC data.
On a device with NGate installed, the malware is able to:
- Capture NFC traffic from apps that use NFC.
- Pass or retransmit this NFC data from one device to another.
- Imitate or reproduce data you have previously intercepted on another device.
“This is the first time we have seen Android malware with this capability,” ESET says, adding that the victim’s device does not need to be rooted. The malware will rely on the NFCGate tool, designed by students at the Technical University of Darmstadt in Germany, to capture, analyze or alter the device’s NFC traffic.
The attacks were concentrated in the Czech Republic between November 2023 and March 2024. The cessation of these attacks coincides with the arrest of a suspect by Czech police: a 22-year-old man who was stealing money from ATMs in Prague.
ESET identified up to six different NGate apps, which were presented as official apps from three Czech banks.
Even if the detainee's guilt is confirmed, this new hacking method could prompt other criminal organizations to try again to launch campaigns with the same malware.
At the time of his arrest, the suspect, whose nationality has not been revealed, had in his hands more than $6,000. According to police, the total amount of loot he would have made in this way could be much larger.
To get victims to install malware on their devices, and then bring their bank cards near the device so the malware could read them, the attacker developed a complex, multi-step plan.
First, as is typical, phishing was used to impersonate banks in SMS messages sent to victims, alerting them to a problem with their account. From there, the victim was encouraged to install a Progressive Web App (PWA) and then a slightly more advanced WebAPK, which impersonated legitimate services from the victim’s bank. The scammer convinced the victim, via phone call, to change their PIN and verify their credit card using the malicious app.
Once this process is complete, the cybercriminal will have the victim's credit card details on their device, which they can use to steal money from the ATM.