New Ngate Android Malware Lets Hackers Withdraw Money from Victims’ Payment Cards

Hackers execute several illicit activities with the help of Android malware, and they target Android due to its widespread use and its open ecosystem. 

This makes it much easier for the hackers to perform their illicit activities like distributing malicious apps and exploiting vulnerabilities.

ESET researchers recently identified a new Android malware dubbed “Ngate,” that enables hackers to withdraw money from victims’ payment cards.

Ngate Android Malware

NGate Android malware, first detected in November 2023, represents a sophisticated attack vector for unauthorized ATM withdrawals

It leverages a modified version of the NFCGate tool, originally developed for NFC research at the Technical University of Darmstadt, to relay Near Field Communication (NFC) data from victims’ payment cards through their compromised Android smartphones to attackers’ devices. 

The malware was distributed via phishing websites impersonating prominent Czech banks, initially as Progressive Web Apps (PWAs) and later evolving to WebAPKs, which more closely resemble native applications.

google

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

The attack chain began with SMS phishing, luring victims to these malicious sites under the guise of tax returns. Victims were then socially engineered through fake bank employee calls to install NGate, believing it would protect their compromised accounts. 

Once installed, NGate captures banking credentials and instructs victims to place their payment cards against their phones, enabling the NFC relay attack. Notably, this technique doesn’t require rooting the victim’s device, only the attacker’s. 

NFCGate architecture
NFCGate architecture

The malware also included a fallback method to transfer funds directly between accounts if the NFC relay failed, Stefanko added.

This campaign, targeting clients of three Czech banks, operated from November 2023 until March 2024, when it was disrupted following the arrest of a 22-year-old suspect in Prague. 

The exceptional thing of NGate lies in its misuse of legitimate NFC research tools for criminal purposes, potentially paving the way for other attacks involving NFC tag cloning and payment card emulation. 

Overview of the attack
Overview of the attack

The full extent of the financial damage remains unknown, but the Czech police recovered 160,000 Czech korunas (over €6,000) from just the last three victims at the time of the arrest.

The malware, consistent across samples (package name: rb.system.com), used WebViews to display phishing sites (e.g., https://client.nfcpay.workers[.]dev/?key=8e9a1c7b0d4e8f2c5d3f6b2) mimicking banks like Raiffeisenbank and ČSOB. 

NGate employed a JavaScript interface to control compromised devices, retrieving device information and initiating NFC relay attacks. It utilized two servers, one for phishing and attack coordination, and another for NFC traffic redirection. 

The evolution of the malware from PWA and WebAPK-based attacks to NFC relaying demonstrates the attackers’ increasing sophistication. 

While the campaign, while currently halted due to an arrest, showcases the potential for expanding such attacks to other regions.

Recommendations

Here below we have mentioned all the recommendations:-

  • Check URLs to verify website authenticity.
  • Download apps only from official stores.
  • Keep card PINs secret.
  • Use security apps to block malware.
  • Turn off NFC when not needed.
  • Use RFID cases to block scans.
  • Use digital cards on smartphones.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces

googlenews
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.