Android Malware Steals Payment Card Data Using Never-Before-Seen Technique

High angle shot of a woman's hand inserting her bank card into an ATM in the city. She withdraws money, pays bills, checks account balances and makes bank transfers. Concept of privacy protection and security of online and mobile banking

A newly discovered Android malware steals payment card data using the NFC reader on the infected device and transmits it to attackers, a new technique that effectively clones the card so it can be used at ATMs or point-of-sale terminals, cybersecurity firm ESET said.

ESET researchers have named the malware NGate because it includes: NFC Gatewayan open source tool for capturing, analyzing, or altering NFC traffic. Short for Near field communicationsNFC is a protocol that allows two devices to communicate wirelessly over short distances.

New attack scenario on Android

“This is a new attack scenario for Android, and the first time we have seen Android malware with this capability used in the wild,” said ESET researcher Lukas Stefanko in a report. video “The discovery shows that the NGate malware can transmit NFC data from a victim’s card via a compromised device to the attacker’s smartphone, which is then able to spoof the card and withdraw money from an ATM.”

Lukas Stefanko – NGate Unmasked.

The malware is installed through traditional phishing scenarios, such as the attacker sending messages to targets and tricking them into installing NGate from short-lived domains impersonating banks or official mobile banking apps available on Google Play. NGate disguises itself as a legitimate app from the target’s bank, prompting the user to enter the bank’s customer ID, date of birth, and the corresponding card PIN. The app then prompts the user to turn on NFC and scan the card.

ESET said it detected NGate being used against three Czech banks starting in November and identified six separate NGate apps that were in circulation between then and March this year. Some of the apps used in later months of the campaign came in the form of progressive web apps, short for Progressive Web Appswhich as reported on Thursday can be installed on Android and iOS devices even when settings (mandatory on iOS) prevent installation of apps available from unofficial sources.

ESET said the most likely reason for the NGate campaign ending in March was arrest Czech police have arrested a 22-year-old man who they say was caught wearing a mask while withdrawing money from an ATM in Prague. Investigators said the suspect “has come up with a new way to trick people and steal their money” using a scheme that appears identical to the one involving NGate.

Stefanko and fellow ESET researcher Jakub Osmani explained how the attack works:

The Czech police announcement revealed that the attack scenario began with the attackers sending text messages to potential victims about a tax return, including a link to a phishing site impersonating banks. These links likely led to malicious Progressive Web Apps. Once the victim installed the app and entered their credentials, the attacker gained access to the victim’s account. The attacker then contacted the victim, pretending to be a bank employee. The victim was told that their account had been hacked, most likely due to the previous text message. The attacker was actually telling the truth — the victim’s account had been hacked, but that truth then led to another lie.

To protect their funds, the victim was asked to change their PIN and verify their bank card using a mobile app – NGate malware. A link to download NGate was sent via SMS. We suspect that within the NGate app, victims would enter their old PIN to create a new one and put their card on the back of their smartphone to verify or apply the change.

Since the attacker already had access to the compromised account, they could change the withdrawal limits. If the NFC redirection method didn’t work, they could simply transfer the funds to another account. However, using NGate makes it easier for the attacker to access the victim’s funds without leaving traces back to the attacker’s bank account. A diagram of the attack sequence is shown in Figure 6.

NGate attack overview.
Zoom in / NGate attack overview.

esit

The researchers said that NGate or similar apps could be used in other scenarios, such as cloning some smart cards used for other purposes. The attack would work by copying the unique identifier of the NFC tag, abbreviated as UID.

“During our tests, we successfully migrated the unique user ID from a MIFARE Classic 1K tag, which is typically used for public transport tickets, ID badges, membership or student cards, and similar use cases,” the researchers wrote. “Using NFCGate, it is possible to perform an NFC transmission attack to read an NFC token in one location and, in real time, access buildings in a different location by spoofing its unique user ID, as shown in Figure 7.”

Figure 7. An Android smartphone (right) reads the UID of an external NFC tag and transmits it to another device (left).
Zoom in / Figure 7. An Android smartphone (right) reads the UID of an external NFC tag and transmits it to another device (left).

esit

Cloning may occur in situations where an attacker has physical access to a card or is able to briefly read a card in handbags, wallets, backpacks, or smartphone cases that contain cards. To perform and simulate such attacks, an attacker would need to have a custom, rooted Android device. The phones infected with NGate did not have this requirement.

Leave a Reply

Your email address will not be published. Required fields are marked *

indian nude girl mms verpornos.org desi gay videos
indian sxe hd redwap.sex porn vdo
xvidios pornpakistani.com desi free sex
hades hentai clipxhentai.com street fighter hentai
pamasahe watch teleseryehot.com pba rappler
xx justpornvideo.mobi lakshmi rai hot
marathi open sexy video tubeporncity.info tube 8 hindi
hentai love dolls hentaiparadize.org microne magazine 10
xnxx pakistan momporntrends.com xxxvom
deci xxx bigtitsporntrends.com indiyan x video
haryana sex.com mom2fuck.mobi www.sexy.com
anjelina hot erohardcore.info hindilink4uto
tales of the kama sutra: the perfumed garden fuckhindi.com kinkbomb
拘束男をひたすらヌキまくる逆レ●プ痴女 強制射精ザーメン10連発スペシャル 伊藤舞雪 javmovies.mobi 美雪ありす
hardcore sex videos download redpornvideos.net nangi hindi video