A newly discovered Android malware is using a novel technique to steal payment card data by exploiting a device’s NFC reader, according to security firm ESET. This malware, named NGate, utilizes NFCGate, an open-source tool designed for capturing and analyzing NFC traffic. NFC, or Near-Field Communication, allows devices to communicate wirelessly over short distances.
ESET researcher Lukas Stefanko revealed in a video that NGate malware relays NFC data from a victim’s card through a compromised device to an attacker’s smartphone. This method enables the attacker to clone the card and withdraw funds from ATMs or make purchases at point-of-sale terminals.
The malware spreads through traditional phishing tactics, such as fake bank messages that lure targets into installing NGate from temporary domains mimicking legitimate banking apps. Once installed, NGate masquerades as a genuine banking app, prompting users to enter sensitive information like the banking client ID, date of birth, and PIN code. The app then requests NFC activation and card scanning.
ESET discovered NGate targeting three Czech banks beginning in November, with six different NGate apps identified from non-Google Play sources up to March. Some of these apps were Progressive Web Apps (PWAs), which can be installed on Android and iOS devices, circumventing app installation restrictions.
The campaign likely ended in March following the arrest of a 22-year-old in Prague, who was allegedly caught using NGate to withdraw money from ATMs. The arrest suggests that the suspect had developed a scheme similar to NGate’s method of financial fraud.
ESET noted that NGate or similar apps could potentially be used for other types of NFC attacks, such as cloning smart cards used for various purposes. During testing, researchers successfully relayed the UID from a MIFARE Classic 1K tag, typically used for public transport tickets, ID badges, and membership cards.
The cloning process can occur if an attacker has physical access to a card or can briefly read a card from unattended purses, wallets, or cases. NGate does not require a rooted or customized Android device to operate.
A Google representative stated that no NGate-infected apps are currently on Google Play. Android users are protected by Google Play Protect, which automatically detects and blocks known malware from all sources, including those outside Google Play.
