The research team at ESET, a leading proactive threat detection company, discovered a campaign targeting customers of different banks whose main objective was to facilitate unauthorized ATM withdrawals from victims’ accounts. The malware used, which ESET named NGate, has the unique ability to transmit payment card data via a malicious application installed on the victim’s Android device to the attacker’s rooted Android phone.

ESET’s key findings:

Attackers combined standard malicious techniques (social engineering, phishing and Android malware) in a new attack scenario; ESET suspects that messages impersonating, in this case, Czech banks were sent to random phone customers, and trapped customers of three banks.

According to ESET Intelligence Service data, the group had been operating since november 2023 in Czechia and, as of march 2024, the group’s technique rating improved by deploying the NGate malware for Android.

The attackers were able to clone NFC data from victims’ physical payment cards using NGate and relay this data to an attacker’s device, which was then able to emulate the original card and withdraw money from an ATM.

This is the first time this Android malware was identified with this capability in use in the wild, and without the victims having had their devices rooted.

The victims downloaded and installed the malware after being tricked into thinking they were communicating with their bank and that their device was compromised. In reality, they had unknowingly compromised their own Android devices by downloading and installing an application from a link in a misleading SMS message about a possible tax return. ESET points out that NGate was never available in the official Google Play store.

Image caption: Fake banking website (left) and fake Google Play website (right).

The unauthorized ATM withdrawals were achieved by relaying near field communication (NFC) data from the victims’ physical payment cards via their compromised Android smartphones using the NGate for Android malware to the attacker’s device. The attacker then used this data to perform ATM transactions. If this method failed, the attacker had an alternative plan to transfer funds from the victims’ accounts to other bank accounts.

“We have not seen this novel NFC relaying technique in any previously discovered Android malware. The technique is based on a tool called NFCGate, designed by students at the Technical University of Darmstadt, Germany, to capture, analyze or alter NFC traffic; therefore, we call this new malware family NGate”, says Lukáš Štefanko, ESET Researcher who discovered the threat and technique.

In addition to its phishing capabilities, the NGate malware also comes with a tool called NFCGate, which is misused to transmit NFC data between two devices: the victim’s device and the perpetrator’s device. Some of these functions only work on rooted devices; however, in this case, the transmission of NFC traffic is also possible from unrooted devices. NGate also asks its victims to enter sensitive information such as their bank customer ID, date of birth and bank card PIN code. It also asks them to activate the NFC function on their smartphones. Then, victims are instructed to place their payment card on the back of their smartphone until the malicious app recognizes the card.

In addition to the technique used by the NGate malware, an attacker with physical access to payment cards can copy and emulate them. This technique could be employed by an attacker attempting to read cards through wallets, purses, backpacks or smartphone cases containing unattended cards, especially in crowded, public places. This scenario, however, is generally limited to making small contactless payments at terminal points.

“To ensure protection against such complex attacks, it is necessary to use certain proactive measures against tactics such as phishing, social engineering and Android malware. This means verifying website URLs, downloading apps from official stores, keeping PIN codes secret, using security apps on smartphones, disabling the NFC function when it is not needed, using protective cases or using virtual cards protected by authentication”, advises Štefanko.