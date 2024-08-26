Cybersecurity researchers have discovery a new Android malware, dubbed Ngate, which is able to transmit victims’ payment card data, coming from physical credit and debit cards, to a device controlled by attackers with the aim of carrying out fraudulent transactions.

What is known about Ngate

Slovakian cybersecurity firm Eset is monitoring the new malware, NGate, saying it has observed a criminal campaign targeting three banks in the Czech Republic.

Eset cybersecurity researcher Lukáš Štefanko “unmasks” ngate malware

The malware “It has the unique ability to transmit victims’ payment card data, via a malicious application installed on their Android devices, to the attacker’s rooted Android phone“, they have declared researchers Lukáš Štefanko and Jakub Osmani in an analysis.

The activity is part of a broader campaign which has been detected targeting financial institutions in the Czech Republic since November 2023 using malicious progressive web apps (PWAs) and WebAPKs; The first recorded use of NGate was in March 2024.

Ngate’s goal and how it works

The ultimate goal of the attacks is to clone near field communication (NFC) data from victims’ physical payment cards using NGate and transmit that information to an attacker’s device which then emulates the original card to withdraw money from an ATM.

NGate has its roots in a legitimate tool called NFCGateoriginally developed in 2015 for security research purposes by students of the Secure Mobile Networking Lab at TU Darmstadt.

Graph of how ngate works, which works through fraudulent deceptive SMS

The attack chains are believed to involve a combination of social engineering and SMS phishing to trick users into installing NGate by directing them to temporary domains that mimic legitimate banking websites or official mobile banking apps available on the Google Play Store.

So far, six different NGate apps have been identified between November 2023 and March 2024, when operations likely stopped. following thearrest of a 22-year-old youth by the Czech authorities in connection with the theft of funds from ATMs.

Ngate and phishing attempts

In addition to abusing NFCGate’s functionality to capture NFC traffic and transfer it to another device, NGate prompts users to enter sensitive financial information, including their bank account ID, date of birth, and their bank card PIN. The phishing page is presented within a WebView.

“It also asks users to enable NFC functionality on their smartphone“, the researchers said. “Next, victims are instructed to place their payment card on the back of their smartphone until the malicious application recognizes the card..”

The malware in question spreads through web pages that emulate the current Google Play Store graphics.

The attacks also take a sneaky approach where victims, after installing the PWA or WebAPK app via links sent via SMS, see their credentials compromised and subsequently receive calls from the cybercriminal, who pretends to be a bank employee and informs them that their bank account has been compromised due to the installation of the app.

They are then instructed to change their PIN and validate their bank card using a different mobile app (i.e. NGate), the installation link of which is also sent via SMS: Fortunately, there is no evidence that these apps were distributed through the Google Play Store.

“NGate uses two separate servers to facilitate its operations“, the researchers explained. “The first is a phishing website designed to lure victims into providing sensitive information and can initiate an NFC relay attack. The second is an NFCGate relay server tasked with redirecting NFC traffic from the victim’s device to the attacker’s..”

More Malware on the Horizon

The disclosure comes as Zscaler ThreatLabz detailed a new variant of a popular Android banking trojan called Copybarawhich spreads via voice phishing (vishing) attacks and tricks victims into entering their bank account credentials.

“This new variant of Copybara has been active since November 2023 and uses the MQTT protocol to establish communication with its command and control (C2) server.“, said Ruchna Nigam, concluding: “The malware abuses the native Accessibility Service functionality of Android devices to exercise granular control over the infected device. In the background, the malware also proceeds to download phishing pages that imitate popular cryptocurrency exchanges and financial institutions using their logos and application names..”

What to do if you encounter this malware

Since the malware is in Eastern European languages ​​(Czech and Slovak), it is very unlikely that an Italian user will come across this malware, however there are some rules that can be followed:

Prevention: I know, I always say this, but it’s really hard to get into your head, if you pay attention to the image above you’ll immediately notice that there’s a link above that has nothing to do with Google services, incredible but true, reading can save the life of your Android phone;

A good antivirus: Although Google Play Store has introduced a sort of Windows Defender on Android, it is not a bad idea to do a pass, there are Eset, Malwarebytes, or even Hypatia for free on F-Droid, an application that offers real-time protection for free.

Good browsing habits: the bad habit of clicking everywhere is hard to die, and malware like Ngate exploits people’s lack of attention;

Backup: that thing that is always recommended, but no one ever does, of making a copy of your data so as not to find yourself “in the middle of the digital highway of the internet”;

Beware of “nostalgic” memes and posts: You may have noticed posts on Facebook or Instagram like “When I was little I had a little dog, his name was XXXXX“, security questions are very often something related to our past (favorite restaurant, name of our childhood pet, mother’s maiden name, etc.) and we should avoid responding to these posts.

Non-trivial credentials: if you put banal words like “passerottina82” for your password, where not only is your date of birth, making part of the password obvious, but also a banal word, you’re kind of looking for it.

These are rules of “good conduct against malware and phishing”, which should not only apply to Ngate, but also to the internethowever, it cannot be ruled out that malware like Ngate or similar malware (which are already circulating anyway) could also arrive in Italy in the Italian language: always pay attention when you surf the web.