NFC Traffic Stealer Targets Android Users & Their Banking Info

A dangerous new Android malware has surfaced that can clone contactless payment data from physical credit and debit cards and relay it to an attacker's Android device, enabling fraudulent transactions.

Researchers from ESET, who are tracking the malware as NGate, described it this week as the first of its kind they've observed in the wild.

Leveraging a Legit Tool

NGate is actually based on NFCgate, a tool that students at Germany's University of Darmstadt developed to capture, analyze, and alter near-field communication (NFC) traffic. NFC is what allows devices — such as smartphones — to communicate wirelessly with each other over short distances. The university students have described NFCgate as a legitimate research tool for reverse-engineering protocols or for assessing protocol security in different traffic conditions.

Among other things, NFCgate can capture NFC traffic that applications running on an Android phone might send or receive; relay NFC traffic between two devices via a server; replay captured NFC traffic; and clone identification and other initial tag information. "I believe it's for research purposes to demonstrate it is possible to extend the distance of NFC contactless communication — that is only up to 5 to 10 centimeters — by using Android phones," says Lukas Stefanko, ESET's senior malware researcher.

ESET observed a threat actor leveraging NFCGate's capability in combination with phishing and social engineering lures to try and steal cash from victim bank accounts via fraudulent ATM transactions.

Sneaky Scam

The scam involved the threat actor — likely a 22-year-old recently arrested by Czech authorities — sending SMS messages to potential victims in Czechia about a tax-related issue. People who clicked on the link ended up with a progressive Web app (PWA) or a Web APK (Android Package) that phished for their banking credentials and sent it to the attacker. Attackers have long used similar apps to get users to divulge their banking information.

The threat actor would then call the potential victim pretending to be a bank employee notifying them about a security incident related to their account and requesting them to change their PIN and verify their card.

Victims who fell for the social engineering trick receive a link to download NGate, which then executes a series of steps to enable fraudulent ATM withdrawals.

"After being installed and opened, NGate displays a fake website that asks for the user's banking information, which is then sent to the attacker’s server," ESET said. The malware prompts victims to enter their banking client ID, birth date, the PIN for their bank card, and other sensitive information. It also asks victims to enable the NFC feature on their smartphone and to place their payment card at the back of their smartphone until the malicious app recognizes the card, ESET said.

At this point, NGate captures NFC data from the victim's card and sends it through a server to the attacker's Android device. The attacker's Android phone would need to be rooted, or compromised at the kernel level, for it to be able to use the relayed data. The NFC data allows the attacker to essentially clone the victim's card on their smartphone and use it to make payments and withdraw money from ATMs that support the NFC feature.

If this method failed, the attacker's fallback was to use the bank account data the victim had already provided to transfer funds from the victim's account to other banks, ESET said.

Stefanko says the attacker would have been able to steal funds from a victim account without NGate, using just the banking credentials they might have managed to obtain from a victim. But it would have been a bit more complicated, since they would need to first transfer money to their account and use a mule to withdraw the money from an ATM. Since NGate enables fraudulent ATM withdrawals, an attacker would have been able to steal from a victim's account without leaving a trail back to their own accounts.

Other Malicious Use Cases

Attackers can use malware like NGate to capture and relay data from any NFC tag or token by either gaining physical access to them or by tricking users to place the tag on the back of a compromised Android phone. "During our testing, we successfully relayed the UID from a MIFARE Classic 1K tag, which is typically used for public transport tickets, ID badges, membership or student cards, and similar use cases," the security vendor said, adding that it is also possible to execute relay attacks when an attacker could ready an NFC token at one location and emulate its data to access premises in a different location.

The attack is being propagated by direct text messages rather than malicious apps in Google's official app store, a spokesperson stressed.

"Based on our current detections, no apps containing this malware are found on Google Play," the Google spokesperson said in an emailed comment to Dark Reading. "Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play."