NEW YORK – A dangerous new Android malware has emerged that can clone contactless payment data from physical credit and debit cards and forward it to an attacker’s Android device, enabling fraudulent transactions.

Researchers from ESET, who track the malware as NGate, described it this week as the first of their kind to be observed in the wild.

Use a legitimate tool

NGate is actually based on NFCgate, a tool developed by students at the University of Darmstadt to record, analyze and modify Near Field Communication (NFC) traffic. NFC enables devices – such as smartphones – to communicate wirelessly with each other over short distances. The university students have described NFCgate as a legitimate research tool for reverse engineering protocols or for evaluating protocol security under different traffic conditions.

Among other things, NFCgate can capture NFC traffic that applications running on an Android phone send or receive; relay NFC traffic between two devices through a server; replay captured NFC traffic; and clone identification and other initial tag information. “I believe it is for research purposes to show that it is possible to extend the distance of contactless NFC communication – which is only up to 5-10 centimeters – using Android phones,” says Lukas Stefanko, lead malware researcher at ESET.

ESET observed a threat actor exploiting NFCGate’s capabilities in combination with phishing and social engineering lures to attempt to steal cash from victims’ bank accounts via fraudulent ATM transactions.

Secret fraud

In the scam, the attacker – believed to be a 22-year-old who was recently arrested by Czech authorities – sent SMS messages to potential victims in the Czech Republic on a tax-related topic. People who clicked on the link landed on a progressive web app (PWA) or a Web APK (Android package) that fished for their banking information and sent it to the attacker. Attackers have long used similar apps to trick users into revealing their banking information.

The threat actor then calls the potential victim posing as a bank employee, informing them of a security incident related to their account and asking them to change their PIN and verify their card.

Victims who have fallen for the social engineering trick receive a link to download NGate, which then performs a series of steps to facilitate fraudulent ATM withdrawals.

“Once installed and opened, NGate displays a fake website that asks for the user’s banking details, which are then sent to the attacker’s server,” ESET said. The malware asks victims to enter their bank customer ID, date of birth, PIN for their bank card and other sensitive information. It also asks victims to enable the NFC feature on their smartphone and place their payment card on the back of their smartphone until the malicious app recognizes the card, ESET said.

At this point, NGate captures NFC data from the victim’s card and sends it to the attacker’s Android device via a server. The attacker’s Android phone would need to be rooted or compromised at the kernel level in order for it to use the forwarded data. The NFC data allows the attacker to essentially clone the victim’s card onto their smartphone and use it to make payments and withdraw money from ATMs that support the NFC feature.

If this method failed, the attacker’s option was to use the bank account details already provided by the victim to transfer money from the victim’s account to other banks, ESET explained.

According to Stefanko, even without NGate, the attacker could have stolen money from a victim’s account using only the banking information they might have received from a victim. But it would have been a bit more complicated, as they would have to first transfer money to their account and then withdraw it from an ATM using a cash courier. Since NGate enables fraudulent ATM withdrawals, an attacker could have stolen money from a victim’s account without leaving a trail to their own accounts.

Read more at Dark Reading