Cybersecurity experts have identified a new strain of Android malware, known as NGate, designed to siphon contactless payment data from victims’ physical credit and debit cards. The stolen data is relayed to a device controlled by attackers, enabling them to carry out fraudulent transactions.
This new threat, dubbed NGate by researchers, has been observed targeting three major banks in Czechia as part of a broader cybercrime campaign that began in November 2023.
The malware leverages a malicious app installed on victims’ Android devices to transmit payment card information to the attacker’s rooted Android phone. Researchers have uncovered that NGate originated from a legitimate tool called NFCGate, initially developed for security research by students at the Secure Mobile Networking Lab at TU Darmstadt in 2015.
The malware campaign primarily relies on social engineering tactics, including SMS phishing, to trick users into downloading NGate by directing them to fake domains that mimic authentic banking websites or official mobile banking apps.
Since its first recorded use in March 2024, six distinct versions of NGate have been identified, with activities ceasing after Czech authorities arrested a 22-year-old suspect linked to ATM fund theft.
NGate operates by capturing near-field communication (NFC) data from victims’ payment cards and transmitting it to an attacker’s device. The attackers then emulate the original card to withdraw funds from ATMs. The malware also prompts users to input sensitive financial details, such as banking IDs, birthdates, and PIN codes, through phishing pages displayed within a WebView.
Victims are further deceived into enabling the NFC feature on their smartphones and placing their payment cards at the back of their devices until recognized by the malicious app.
To increase the effectiveness of the attack, victims who install the NGate app via links sent through SMS receive follow-up calls from the threat actors. Posing as bank representatives, these attackers inform victims that their bank accounts have been compromised and instruct them to change their PINs and validate their cards using another mobile app, which is also NGate. These malicious apps were not distributed through the Google Play Store.
The researchers revealed that NGate uses two separate servers: one for phishing and initiating NFC relay attacks, and another as an NFCGate relay server to redirect NFC traffic from the victim’s device to the attacker’s.
Preventing such attacks requires a multi-layered approach. Users should be cautious of unexpected messages or calls urging them to download apps or enter sensitive information. Always verify the authenticity of websites and apps before installing them.
It’s also crucial to keep your device updated with the latest security patches and consider using a reputable mobile security solution to detect and block malicious activity.