ESET researchers uncovered a sophisticated crimeware campaign targeting clients of three Czech banks. The malware, dubbed NGate, has a unique ability to relay payment card data from victims' Android devices to the attacker's rooted smartphone, enabling unauthorized ATM withdrawals.
The attackers used deceptive methods, including phishing links and fake banking apps, to lure victims into installing the malware. Once installed, NGate would capture the victims' NFC payment card data and relay it to the attacker's device, allowing them to conduct ATM transactions. If that failed, the attacker could also transfer funds from the victims' accounts.
This novel NFC relay technique, based on a tool called NFCGate, has not been seen in previous Android malware, making it a significant threat. ESET reported the findings to its clients in late 2023, and a suspect was arrested in March 2024, though the threat actor's activities were believed to be ongoing.
To protect against such attacks, ESET advises users to be wary of phishing attempts, download apps only from official stores, keep PIN codes secret, use security apps, turn off NFC when not needed, and use protective cases or virtual cards.
“Ensuring protection from such complex attacks requires the use of certain proactive steps against tactics like phishing, social engineering, and Android malware. This means checking URLs of websites, downloading apps from official stores, keeping PIN codes secret, using security apps on smartphones, turning off the NFC function when it is not needed, using protective cases, or using virtual cards protected by authentication,” advises Lukáš Štefanko, malware analyst, ESET.