A sophisticated strain of Android malware has been uncovered in a campaign targeting customers of three major Czech banks over the past nine months. Researchers from Slovak cybersecurity firm ESET have named the malware NGate, identifying it as part of a broader series of attacks where cybercriminals created nearly identical replicas of legitimate European banking apps to steal user data in a complex phishing scheme.
Lukáš Štefanko, the researcher who discovered this novel threat, highlighted that the NGate malware is particularly alarming due to its ability to relay payment card information through a malicious app installed on the victim’s Android device. This technique allows hackers to capture near field communication (NFC) data from the victim’s physical payment card and transmit it to the attacker’s device.
Once the data is captured, the hackers used it to conduct unauthorized ATM transactions. If these attempts failed, the cybercriminals had a backup plan to transfer funds directly from the victim’s bank account to other accounts.
Štefanko noted, “We haven’t seen this novel NFC relay technique in any previously discovered Android malware.”
The Phishing Campaign: ‘Place Your Card Here’
The campaign involved sending phishing messages to victims, purporting to be from their banks, and claiming that their devices were compromised. Victims were instructed to download a fraudulent app, which led to their Android devices being infected with the NGate malware.
The malicious app, which was never available on the official Google Play store, was typically downloaded via links sent through text messages. The malware was distributed through domains that mimicked banking websites or official mobile banking apps.
Once NGate was installed, it displayed a fake website prompting victims to enter sensitive banking information, such as client IDs, dates of birth, and PIN codes. The app also instructed users to enable NFC on their devices and to place their payment card against the back of their smartphone until the app registered the card. The hackers then employed the NFCGate tool—a software designed to relay NFC data between two devices—to steal the card information.
ESET researchers have been monitoring the activities of the group behind this campaign since November 2023, observing that their primary targets were customers of prominent Czech banks. The group’s operations were temporarily halted following the reported arrest of an unnamed member in March 2024.
This marks the first instance of Android malware using such advanced NFC relay capabilities being deployed in the wild. Štefanko urged the public to exercise caution online, advising people to verify URLs, keep PIN numbers secure, and disable the NFC function when not in use. He also recommended the use of virtual cards, which provide temporary card information for safer online transactions.
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
