Android malware discovered that can steal credit card data

NGate, a new and extremely dangerous Android malware, is capable of stealing payment card information in a sophisticated way. By exploiting Near-Field Communication (NFC) technology, the malware silently copies information from payment cards and transfers it directly to the criminals, turning your phone into an ATM.

This malware would allow criminals to use user data at ATMs and POS (point of sale) machines to withdraw money or pay for purchases at cash registers.

Recent research by cybersecurity company ESET (Slovakia) has exposed an attack campaign that has lasted since November 2023, in which hackers have been exploiting advanced web applications such as PWA and WebAPK to steal users' banking credentials, directly threatening the assets of users in the Czech Republic.

In a report published on August 22, cybersecurity company ESET revealed an alarming discovery: the NGate malware not only collects information, but is also used to steal money directly from victims' bank accounts.

Malware steals card data via NFC chip

The attacks start with a variety of sophisticated tactics, from fake messages, scam calls to malicious ads, to lure victims into downloading and installing malicious web applications, including PWAs and WebAPKs.

These malicious web applications are cleverly disguised as urgent security updates, completely impersonating the official interface and logo of banks, in order to trick users into providing account information.

Although they do not require any permissions upon installation, these applications silently exploit vulnerabilities in the browser's Application Programming Interface (API) to steal control of the device's hardware components, completely without the user's knowledge.

The threat doesn’t stop there. After being tricked into installing the WebAPK, victims are then infected with the NGate malware. Alarmingly, NGate leverages a research tool originally created for security, NFCGate, to carry out its malicious activities, turning the protection tool into an attack weapon.

The NFCGate security tool provides a rich set of features, including capturing, forwarding, replaying, and copying data on the device, without necessarily interfering with the root system. This makes it easy for users to use the tool without worrying about risks.

The NGate malware uses this tool to infiltrate the victim's device, steal sensitive data from nearby NFC payment cards, and secretly transfer it back to the attacker via a network of underground servers.

Attackers can easily turn stolen data into a virtual card, then use it to withdraw cash at ATMs or make payments at points of sale, causing direct damage to the victim.

In a demonstration video, ESET security expert Lukas Stefanko demonstrated the dangerous capabilities of NFCGate, showing how it can easily scan and steal data from cards in a victim's wallet or backpack. An attacker at a store can even receive the data via a server and make contactless payments using the victim's card.

Not stopping there, Stefanko also warned that NFCGate can also copy the unique identifiers of some NFC access cards and tokens to gain access to restricted areas.

How do hackers get victims' card PINs?

Withdrawing cash at most ATMs requires a card PIN, which researchers say can be obtained by hacking the victim.

After successfully tricking the victim into installing the fake app, the scammer further increases the credibility by calling directly, pretending to be a bank employee. With a professional tone and accurate personal information, they create the perfect scenario to trick the victim into believing that there is a problem with their account.

Then, using a carefully crafted SMS message, the attacker sends the victim a malicious link, disguised as a security verification application, to continue stealing important information.

When the victim swipes the card using their device and enters the PIN for verification on the malware's phishing interface, the sensitive information is passed to the attacker, allowing the attacker to withdraw money.

Czech police have broken up a gang using this method after arresting one of its members while withdrawing cash from an ATM in the Czech capital Prague.

ESET warns that the risk goes beyond just losing cash. NFCGate is also capable of cloning a wide range of cards, including access cards, transportation tickets, ID cards, membership cards, and other NFC-enabled technologies, with much more serious consequences.

One simple way to increase the security of your device is to turn off NFC when it's not needed. To do this, go to Settings > Connections > NFC on your Android phone and turn it off. This will help you reduce the risk of having your information stolen.

If you need to enable NFC all the time, double-check all app permissions and restrict access to only those apps that need it; only install banking apps from the organization's official website or Google Play, and make sure the app you're using isn't a WebAPK.

Regarding this discovery, a Google spokesperson said that currently no apps containing NGate have been detected on the Google Play app store thanks to the automatic protection function of Google Play Protect, which is enabled by default on Android devices with Google Play Services.

Google also said it found no such malware listed in Google Play because Play Protect can warn users and block apps with malicious behavior even if they come from third-party sources.