NFC Traffic Stealer Targets Android Users and Their Banking Information

This malware relies on near-field communication (NFC) technology combined with phishing and social engineering to steal money.

ESET has announced the discovery of new malware called "NGate", which can clone contactless payment data from physical credit and debit cards and transfer it to the attacker's Android device, allowing fraudulent transactions.

Exploiting a Legitimate Tool

The *NGate* malware is based on *NFCgate*, a tool developed by students at Darmstadt University in Germany to capture, analyze, and modify NFC communication traffic. This technology enables devices, such as smartphones, to communicate wirelessly over short distances. NFCgate was originally designed as a legitimate research tool for reverse-engineering protocols and assessing protocol security.

The tool allows attackers to capture, transfer, and replay NFC traffic between devices, enabling them to exploit this data for stealing victims' payment information. According to *Lukáš Štefanko*, an ESET researcher, NGate's purpose is to extend NFC's limited range of a few centimeters using Android phones.

Phishing and Fraud

The attack involved sending phishing text messages to victims in the Czech Republic, tricking them with links that led to malicious apps designed to collect their banking information. Once the victim installed the *NGate* app, they were asked to provide their banking credentials and personal identification number (PIN) while enabling NFC to clone their payment card data.

Cash Withdrawal

After the malware clones the NFC data, it sends it to the attacker's Android device, which must be rooted to use the data in illegal transactions through NFC-enabled ATMs. If this method fails, the attacker can still use the stolen banking account details to transfer funds directly.

Additional Attacks

The NGate malware can be used to clone any NFC data, including public transportation tickets or ID cards. ESET confirmed that the attack spreads via phishing text messages rather than through apps on the Google Play Store. Google has also stated that no such malicious apps have been found on its platform.