Malware detected on Android that can steal credit card data.
A new malware called NGate has been discovered, allowing cybercriminals to easily steal credit card data from Android users via near-field communication (NFC) technology.
NGate, a new and extremely dangerous Android malware, is capable of sophisticatedly stealing payment card information. By exploiting Near-Field Communication (NFC) technology, this malware silently copies information from payment cards and transfers it directly to the perpetrator, turning your phone into an automated teller machine.
This malware will allow criminals to use user data at ATMs and POS (point-of-sale) machines to withdraw cash or pay for purchases at the cash register.
Recent research by the Slovakian cybersecurity company ESET has exposed an attack campaign that began in November 2023, in which hackers exploited advanced web applications such as PWAs and WebAPKs to steal users' bank login credentials, directly threatening users' assets in the Czech Republic.

In a report published on August 22nd, cybersecurity company ESET revealed an alarming finding: the NGate malware not only collects information but is also used to steal money directly from victims' bank accounts.
Malware steals card data via NFC chips.
The attacks begin with a series of sophisticated tactics, ranging from fake messages and scam calls to malicious advertisements, designed to entice victims to download and install malicious web applications, including PWAs and WebAPKs.
These malicious web applications are cleverly disguised as urgent security updates, completely mimicking the official interfaces and icons of banks, in order to trick users into providing account information.
Although they don't request any access permissions during installation, these applications silently exploit vulnerabilities in the browser's Application Programming Interface (API) to steal control of the device's hardware components without the user's knowledge.
The threat doesn't stop there. After being tricked into installing the WebAPK, victims will then be infected with the NGate malware. Alarmingly, NGate exploits NFCGate, a research tool originally created for security, to carry out malicious activities, turning the protective tool into a weapon of attack.
The NFCGate security tool offers a diverse set of features, including capturing, forwarding, replaying, and copying data on the device, without necessarily interfering with the root system. This makes the tool easy to use without worrying about risks.
The NGate malware exploits this tool to infiltrate the victim's device, steal sensitive data from nearby NFC payment cards, and secretly transfer it to the attacker through a network of underground servers.
Attackers can easily turn stolen data into a virtual card, then use it to withdraw cash at ATMs or make payments at points of sale, causing direct financial loss to the victim.
In a demonstration video, ESET security expert Lukas Stefanko proved the dangerous capabilities of NFCGate, showing how it can easily scan and steal data from cards in a victim's wallet or backpack. Even an attacker at a store could receive the data via a server and make contactless payments using the victim's card.
Furthermore, Stefanko warned that NFCGate could also copy the unique identifiers of some NFC access cards and tokens to gain access to restricted areas.
How do hackers obtain victims' credit card PINs?
Withdrawing cash at most ATMs requires a card PIN, which researchers say can be obtained by hacking into the victim's system.
After successfully tricking victims into installing the fake app, the scammers further enhance credibility by making direct phone calls, impersonating bank employees. With a professional tone and accurate personal information, they create a perfect scenario to deceive victims into believing their accounts are experiencing problems.
Then, using a carefully crafted SMS message, the attacker sends the victim a malicious link disguised as a security verification app to further steal sensitive information.
When victims scan their cards with their devices and enter their PIN for verification on the malware's phishing interface, sensitive information is transferred to the attacker, allowing the attacker to withdraw funds.
Czech police have broken up a gang using this method after arresting one of its members while he was withdrawing cash from an ATM in the capital, Prague.
ESET warns that the risk doesn't stop at just losing cash. NFCGate is also capable of copying many different types of cards, from access cards, transport tickets, ID cards, membership cards, and other NFC-enabled technologies, leading to far more serious consequences.
A simple way to enhance your device's security is to turn off NFC when not needed. To do this, go to Settings > Connections > NFC on your Android phone and disable it. This will help reduce the risk of information theft.
If you need to enable NFC all the time, carefully check all app permissions and restrict access to only necessary apps; only install banking apps from the organization's official website or Google Play and ensure the app you are using is not a WebAPK.
Regarding this discovery, a Google spokesperson stated that currently no apps containing NGate have been detected on the Google Play app store thanks to the automatic protection feature of Google Play Protect, which is enabled by default on Android devices with Google Play Services.
Google also stated that they did not find any such malware listed in Google Play because Play Protect can warn users and block apps with malicious behavior, even if those apps come from third-party sources.


