NGate malware steals bank data via NFC

Security firm ESET recently reported a piece of malware targeted mainly at Android users, which uses a social engineering attack alongside stolen NFC traffic, to steal bank data from users. Dubbed Ngate, the malware allows attackers to siphon money from affected users' bank accounts. The attack is unique in that it has multiple moving parts, and is reportedly the first seen in the wild to integrate NFC interception as part of a multi-faceted approach.

The way the attack works is relatively simple. It all starts with convincing a user to install a fake version of their banking app of choice. This is accomplished through malicious advertising or progressive web apps that mimic the official interfaces of Google Play and select banking apps to trick users into installing what they're led to believe is something else, usually a critical security update. This is a two-part process; part one is aimed at getting users to grant access to their hardware and bank data, and part two installs the actual malware.

The malware is based on an open-source toolset called NFCGate, which was developed by German college students with the goal of being able to analyze or alter NFC traffic on host devices. NGate, on the other hand, is an app that's made purely to listen and transmit. When the infected device is brought near an NFC-enabled bank card, or any other NFC-enabled tag or card for that matter, the information being broadcast via NFC is captured by the device and relayed to the attackers. From there, they can use an Android device with root privileges enabled to clone that NFC output. This allows them to fool an ATM, or other NFC receptacle, into thinking that they're holding that card or tag. Along with the bank info stolen in the first step, this allows them to access or change a victim's PIN, and withdraw money.

This attack has been found to be active in Czechia since at least November of 2023. This tactic appears to have been used on a limited scale, targeting customers of three Czech banks through six fake apps. One of the people using the malware to steal money was arrested in Prague back in March of 2024, with the rough equivalent of $6,500 in stolen funds on him. His identity and nationality have yet to be revealed. The report noted that use of this attack seems to have stopped since the arrest.

While ESET believes that activity has stopped, it wouldn't be too difficult for another attacker to pick up the same toolset and approach, then give it a facelift for a new audience. It is worth noting that no software containing this particular malware can be found in the official Google Play Store. Google confirmed this to news outlet Bleeping Computer, stating that Google Play Protect contains protections against NGate.

The above is the detailed content of NGate malware steals bank data via NFC. For more information, please follow other related articles on the PHP Chinese website!