In a significant and alarming development in the world of cybersecurity, security firm ESET has uncovered a new Android malware called NGate. This malware utilizes an infected device's NFC reader to steal payment card data and relay it to attackers, enabling them to clone the card effectively. The cloned cards can then be used at ATMs or point-of-sale terminals, allowing the attackers to make unauthorized withdrawals or payments from the victim's account.

The uniqueness of NGate lies in its incorporation of NFCGate, an open source tool used for capturing, analyzing, or altering NFC traffic. NFC, short for Near-Field Communication, is a wireless communication protocol that allows devices to communicate over short distances.

According to ESET researcher Lukas Stefanko, this is the first time such Android malware with this capability has been observed in the wild. In a video demonstrating the discovery, Stefanko explains that NGate malware can exploit a compromised device to relay NFC data from a victim's card to an attacker's smartphone. Subsequently, the attacker can emulate the cloned card, enabling them to withdraw money from an ATM.

To install the malware, attackers have been employing traditional phishing techniques. They send messages to potential victims, tricking them into installing NGate from short-lived domains masquerading as banks or official mobile banking apps available on Google Play. NGate, posing as a legitimate app for the victim's bank, prompts the user to enter their banking client ID, date of birth, and corresponding PIN code. It then instructs the user to enable NFC and scan their card.

ESET has identified NGate being used against three Czech banks from November to March, with multiple variants of the malware circulating during this time. Some of the later variants were distributed as Progressive Web Apps (PWAs), which can be installed on both Android and iOS devices, even when security settings prevent installations from non-official sources.

The NGate campaign came to a halt in March when Czech police apprehended a 22-year-old suspect in Prague who was withdrawing money from ATMs while wearing a mask. Authorities believe this individual devised a similar method to con people out of money using a scheme identical to that involving NGate.

The attack scenario begins with the attackers sending SMS messages to potential victims, luring them with promises of tax returns and providing links to phishing websites impersonating banks. The links lead to malicious PWAs that, once installed, grant the attackers access to victims' accounts. The attackers then impersonate bank employees, informing victims that their accounts have been compromised. To "protect" their funds, victims are then instructed to download NGate and change their PIN, providing the attackers with further access to their accounts.

The ability of NGate to emulate cloned cards without leaving any traces back to the attackers' bank accounts makes it an extremely efficient tool for accessing victims' funds. However, the researchers at ESET have warned that this technique could be used in other scenarios as well, such as cloning different types of smart cards by copying their unique identification information.

Such attacks could occur when the attacker has physical access to a card or can briefly read a card in unattended purses, wallets, backpacks, or smartphone cases holding cards. However, it's important to note that for carrying out these attacks, the attacker needs to have a rooted and customized Android device, while phones infected by NGate do not require this requirement.

This discovery highlights the need for heightened vigilance among Android users and serves as a reminder to avoid clicking on suspicious links or downloading apps from untrusted sources. Staying informed about the latest cybersecurity threats and regularly updating device software is crucial to protecting personal and financial information in an increasingly digitized world.