New Android Malware NGate Steals Money Using NFC

By Ava McKinneyOnline Safety

New Android Malware NGate Steals Money Using NFC

Researchers at ESET have discovered a new Android malware called NGate that can steal money by transferring data read via NFC to a hacker’s device. NGate allows attackers to emulate victims’ cards, make unauthorized payments, or withdraw cash from ATMs.

According to experts, NGate has been active since November 2023 and is linked to a recent ESET report about the growing use of Progressive Web Applications (PWA) and WebAPK to steal banking credentials from users in the Czech Republic. Researchers also note that in some cases, NGate has been used for direct cash theft.

How the NGate Attack Works

The attack begins with malicious SMS messages, automated calls with pre-recorded messages, or harmful ads. These are designed to trick victims into installing malicious PWAs and then a WebAPK, as previously described by researchers. Such apps do not require any permissions during installation and use the browser’s API to access the device’s hardware.

After installing the WebAPK, the victim is deceived into installing NGate. The malware then activates the open-source component NFCGate, originally developed by academic researchers for NFC experiments. This tool supports capturing, relaying, replaying, and cloning NFC data and often does not require root access.

NGate uses NFCGate to intercept NFC data from payment cards near the infected device and then sends this information to the attacker’s device, either directly or via a special server. The attacker can then save this data as a virtual card on their device and use it to reproduce the signal at an ATM that supports NFC cash withdrawals or to make a PoS payment at a retail location.

Social Engineering and PIN Theft

While most ATMs require a PIN code for cash withdrawals, researchers believe it’s easy for attackers to obtain it through simple social engineering. For example, after the phishing PWA/WebAPK is installed, scammers call the victim pretending to be bank employees and report a supposed security issue. They then send an SMS with a link to download NGate, presenting it as a special app for verifying the existing bank card and PIN.

Once the victim scans their card and enters their PIN for “verification” in NGate, this sensitive information is sent to the attacker.

Attack Overview and Additional Risks

In a demonstration video, ESET specialist Lukas Stefanko shows that the NFCGate component in NGate can also be used to scan and intercept card data from wallets and backpacks of people nearby. Additionally, the malware can clone unique IDs of some NFC access cards and tokens, potentially allowing hackers to enter restricted areas.

ESET reports that Czech police have already caught one criminal carrying out such attacks in Prague. However, researchers warn that this tactic could become more widespread and poses a serious risk to Android users. The company also highlights the potential danger of cloning access cards, transit tickets, ID badges, membership cards, and other NFC-enabled items, explaining that money theft is far from the only possible negative outcome.

How to Protect Yourself

  • Turn off NFC if you don’t use it regularly.
  • Carefully review all app permissions and revoke unnecessary ones.
  • Only install banking apps from your financial institution’s official website or the Google Play Store.
  • Make sure the app you’re using is not a WebAPK.

Leave a Reply