ESET researchers have identified a sophisticated crimeware campaign that specifically targeted clients of three prominent Czech banks. The campaign, powered by the newly discovered NGate Android malware, exploited Near Field Communication (NFC) technology to steal sensitive payment card data from victims.
The NGate malware, which relays data from victims’ payment cards via a malicious app installed on their Android devices, was designed to facilitate unauthorized ATM withdrawals. The malware transfers NFC data from the victims’ physical payment cards through their compromised Android smartphones to the attacker’s device, enabling ATM transactions. If the primary method failed, the attackers had a backup plan to transfer funds directly to other bank accounts.
Lukáš Štefanko, the ESET researcher who discovered NGate, explained, “We haven’t seen this novel NFC relay technique in any previously discovered Android malware. The technique is based on a tool called NFCGate, designed by students at the Technical University of Darmstadt, Germany.”
Victims were tricked into downloading the NGate malware after receiving deceptive SMS messages that appeared to be from their bank. These messages prompted them to download an app under the guise of protecting their device. However, this app was never available on the official Google Play store.
ESET’s investigation revealed that NGate is linked to a phishing group operating in Czechia since November 2023. The attackers used short-lived domains that impersonated legitimate banking websites to distribute the malware. ESET first detected these activities and reported them to clients in late 2023.
The cybercriminals behind NGate initially leveraged Progressive Web Apps (PWAs) but later transitioned to more advanced WebAPKs, culminating in the deployment of the NGate malware. By March 2024, NGate became available on the same domains previously used in phishing campaigns. The malware displays a fake banking website to steal users’ credentials and misuse NFC technology.
NGate’s ability to relay NFC traffic, even from non-rooted devices, allows it to capture sensitive information such as banking client IDs, PIN codes, and card details. Victims are also instructed to enable NFC on their smartphones and place their payment cards near the device, enabling the malware to steal the necessary data.
Štefanko advises users to take proactive steps to protect themselves from such threats, including verifying URLs, downloading apps only from official stores, using security apps, and turning off NFC when not needed. For further technical details, ESET recommends reading the blog post “NGate Android malware relays NFC traffic to steal cash” on WeLiveSecurity.com and following ESET Research on Twitter (now X).
By staying informed and vigilant, users can better protect themselves from the evolving tactics of cybercriminals.