Recent research by cybersecurity company ESET provides details of a new attack campaign targeting Android smartphone users.

The cyberattack is based on both a complex social engineering scheme and the use of a new Android malware and can steal users’ Near Field Communication data to withdraw cash from NFC-enabled ATMs.

Continuous technical improvements by the threat actor

As ESET noted, the threat actor initially leveraged progressive web app technology, which allows the installation of an app from any website outside the Play Store. This technology can be used with supported browsers such as Chromium-based browsers on desktops or Firefox, Chrome, Edge, Opera, Safari, Orion, and Samsung Internet Browser.

PWAs accessed directly through browsers are flexible and generally do not suffer from compatibility issues. Once installed on systems, PWAs can be identified by their icon, which displays an additional small browser icon.

Cybercriminals use PWAs to direct unsuspecting users to full-screen phishing websites to obtain their login or credit card information.

The threat actor involved in this campaign moved from PWAs to WebAPKs, a more advanced PWA type. The difference is subtle: PWAs are apps built using web technologies, while WebAPKs use technology to integrate PWAs as native Android applications.

From the attacker’s perspective, the use of WebAPKs is more hidden because their icons no longer display a small browser icon.

The victim downloads and installs a standalone app from a phishing website. The person does not request any additional permission to install the app from a third-party website.

These fraudulent websites often imitate parts of the Google Play Store to create confusion and make the user believe that the installation actually comes from the Play Store, when in fact it comes directly from the fraudulent website.

NGate Malware

On March 6, the same distribution domains used for the observed PWA and WebAPK phishing campaigns suddenly started distributing a new malware called NGate. Once installed and executed on the victim’s phone, it opens a fake website that requests the user’s banking information, which is then sent to the threat actor.

However, the malware also embedded a tool called NFCGate, a legitimate tool that allows forwarding NFC data between two devices without the need for the device to be rooted.

After the user has entered their bank details, they will be asked to activate the NFC function of their smartphone and hold their credit card to the back of their smartphone until the app successfully recognizes the card.

Comprehensive social engineering

While enabling NFC for an app and recognizing a payment card may seem suspicious at first, the social engineering techniques used by threat actors explain the scenario.

The cybercriminal sends the user an SMS with a tax return notice and a link to a phishing website that pretends to be a banking company and leads to a malicious PWA. Once installed and executed, the app requests banking information from the user.

At this point, the threat actor calls the user pretending to be the bank. The victim is informed that their account has been compromised, likely due to the previous SMS. The user is then asked to change their PIN and verify their bank card details using a mobile application to protect their bank account.

The user then receives a new SMS with a link to the NGate malware application.

After installation, the app requests the activation of the NFC function and the recognition of the credit card by pressing it onto the back of the smartphone. The data is transmitted to the attacker in real time.

Monetization of stolen information

The information stolen by the attacker can be used to carry out the usual fraud attempts: withdrawing funds from the bank account or using credit card information to purchase goods online.

However, the NFC data stolen by the cyberattacker allows him to emulate the original credit card and withdraw money from ATMs that use NFC, representing a previously unreported attack vector.

Scope of attack

ESET’s investigations revealed that attacks also occurred in the Czech Republic, as only banking companies there were targeted.

A 22-year-old suspect was arrested in Prague. He was carrying approximately 6,000 euros ($6,500). According to Czech police, this money comes from thefts from the last three victims, suggesting that the threat actor stole much more during this attack campaign.

However, “an expansion to other regions or countries cannot be ruled out,” write the ESET researchers.

In the near future, it is likely that more cybercriminals will use similar techniques to steal money via NFC, especially as NFC becomes more popular among developers.

How to protect yourself from this threat

To avoid becoming a victim of this cyber campaign, users should:

• Check the source of the applications you download and carefully examine the URLs to make sure they are legitimate.
• Avoid downloading software from outside official sources, such as the Google Play Store.
• Do not share your payment card PIN code. No banking company will ever ask you for this information.
• Use digital versions of traditional physical cards, as these virtual cards can be securely stored on the device and protected by additional security measures such as biometric authentication.
• Install security software on mobile devices to detect malware and unwanted applications on the phone.

Users should also deactivate NFC on smartphones when not in use to protect themselves from further data theft. Attackers can read card data in unattended handbags, wallets and backpacks in public places and use them for small contactless payments. Protective cases can also form an efficient barrier against unwanted scans.

If you have any doubts when you receive a call from a bank employee, hang up and call your usual contact at the bank, preferably using a different phone number.

Announcement: I work for Trend Micro, but the views expressed in this article are my own.