Advisory ID: NCC-CSIRT-260824-007
Summary:
ESET malware researcher Lukas Stefanko has identified a new Android malware called NGate. This malware is capable of stealing funds from payment cards by transmitting data collected by the near-field communication (NFC) chip to an attacker’s device. With NGate, attackers can emulate the victims' cards, allowing them to make unauthorized payments or withdraw cash from ATMs.
Threat Type(s): Malware, and Phishing
Impact/Vulnerability: CRITICAL/HIGH
Product(s): Android Devices
Platform(s): Android OS
Version(s): All Versions
Description:
The attack begins with malicious texts, automated calls with pre-recorded messages, or malvertising, which trick victims into installing a malicious progressive web app (PWA) on their devices. These PWAs, disguised as urgent security updates, mimic the official icon and login interface of the targeted bank to steal client credentials. The apps require no special permissions upon installation, instead exploiting the web browser's API to gain access to the device's hardware components.
After the phishing stage, the victim is further deceived into installing NGate during the second phase of the attack. Once installed, NGate activates an open-source tool called 'NFCGate,' which enables on-device capturing, relaying, replaying, and cloning of NFC data. This tool can function without the device being rooted. NGate captures NFC data from payment cards near the infected device and transmits it to the attacker, either directly or via a server. The attacker can then save this data as a virtual card and use it to withdraw cash from ATMs or make payments at point-of-sale (PoS) systems.
Solution:
- If you are not actively using NFC, you can mitigate the risk by disabling your device's NFC chip. On Android, click Settings > Connected devices > Connection preferences > NFCand turn the toggle to the off position.
- Only install bank apps from the bank's official webpage or Google Play.
- Ensure the bank app you are using is not a WebAPK