Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
ESET researchers have discovered a new malware for Android that can steal money by transferring data read via NFC to an attacker's device. The malware, dubbed NGate, allows you to emulate victims' cards, make unauthorized payments, or withdraw cash from ATMs.
According to experts, NGate has been active since November 2023 and is associated with a recent report by ESET, which focused on the increasing use cases of Progressive Web Application (PWA) and WebAPK to steal banking credentials from users from the Czech Republic. The researchers also write that in a number of cases, NGate was used for direct theft of cash.
The attacks of the new malware start with malicious SMS messages, automated calls with pre-recorded messages, or malicious advertising. All of this should force victims to install malicious PWA and then WebAPKs on their devices, as researchers have already described in a previous report.
Such applications do not require any permissions when installing and use the browser API in which they run to gain the necessary access to the device's hardware.
After installing WebAPK, the victim is tricked into installing NGate as well, and the malware activates the open source component NFCGate, which was developed by academic researchers for NFC experiments. This tool supports capture, retransmission, playback, and cloning functions, and does not always require root access to work.
Malware uses NFCGate to intercept NFC data from payment cards located in the immediate vicinity of the infected device, and then transmits the information to the attacker's device (directly or through a special server).
As a result, the attacker gets the opportunity to save this data in the form of a virtual card on his device, and then play the signal at an ATM that supports NFC for cash withdrawals, or make a PoS payment at the point of sale.
Although a PIN code will be required to withdraw cash from most ATMs, researchers are confident that it is not difficult to find it with the help of banal social engineering. For example, after a phishing PWA/WebAPK is installed, scammers call the victim, pretending to be bank employees, and report some security problem. Then they send an SMS to the user with a link to download NGate, passing off the malware as a special application for verifying an existing bank card and PIN code.
Once the victim scans the card with their device and enters the PIN code for "verification" in NGate, sensitive data will be shared with the attacker.
In the video below, ESET specialist Lukas Stefanko demonstrates that the NFCGate component in NGate can also be used to scan and intercept card data in the wallets and backpacks of people around them.
The specialist notes that in addition, the malware can be used to clone the unique IDs of some NFC access cards and tokens, which can help a hacker penetrate restricted areas.
ESET has posted a video on YouTube that analyzes how NGate works:
ESET reports that the Czech police have already caught one of the criminals carrying out such attacks in Prague. However, researchers fear that this tactic may become more widespread and poses a serious risk to Android users.
The company also emphasizes the potential danger arising from the cloning of access cards, transport tickets, ID badges, membership cards and other NFC carriers, explaining that money theft in this case is far from the only negative scenario.
To protect against such attacks, experts advise disabling NFC if it is not used all the time. It is also recommended to carefully study all the rights of the applications and revoke unnecessary ones, install banking applications only from the official website of the financial institution or from the Google Play Store, and also make sure that the application used is not WebAPK.
---------------
Criminal investigation officers detained a twenty-two-year-old foreigner who withdrew money from an ATM from foreign cards without having them with him physically. We are looking for new victims.
On March 20, in the morning hours, the operational headquarters received a report that a man in a suspicious mask had been leaving an ATM in Prague 1 for a long time. The detectives were on the scene in a few minutes, but the suspicious man was no longer there. at an ATM. To be sure, the detectives immediately began to check with the operations officer if any fraud had been reported in the area at the moment, and this concern was confirmed. The 50-year-old victim was already on her way to the police station, and detectives of the third and eleventh departments began immediate operational actions. They very quickly managed to track down the suspect through the camera system and shortly thereafter arrested him in a shopping center on Republic Square. The foreigner had more than one hundred and sixty thousand crowns in cash, and since he withdrew less than forty thousand from the victim's card, it was clear that this was far from the only unauthorized withdrawal of money from an ATM that day.
After interrogating the victim, the detectives found out that the scammers had come up with a new way to swindle money from people. Victims will receive an SMS that will contain information, such as overpayment of taxes and a link to a page where they need to enter their bank details so that they can be paid this money. After logging in, they will receive a call from a supposed bank employee who already has all the data about the victim's account and access to it. They will also inform them that their account has been hacked and that in order to save their funds, they need to change the PIN code on the card and that they should prepare it for themselves when the subsequent change is made through their own bank. mobile application. They will be sent a link to download the application if it is not an official bank application, but a fraudulent one. After downloading this application and logging in, they need to link a payment card to their mobile phone, while the NFC signal is transmitted to another mobile device, with which another fraudster is at the ATM and can safely withdraw money. Since they have access to their banking, it is not a problem for them to change the limits on the card as needed, for example, so that larger amounts can be withdrawn. However, if they fail to convince the victim to download the app, they will make a wire transfer to another account to which they have access.
The detained 22-year-old foreigner is in custody and is accused of committing the crime of unauthorized measures, forgery and counterfeiting of a means of payment, for which, if convicted, he could end up in prison for up to eight years.
At the same time, the last three victims were very lucky that the detectives found money in cash from them and it can be returned to them. Given that this man has been in Prague for a long time, there is an assumption that there may be more victims, so investigators ask everyone who has encountered a similar case to report everything to the nearest local police station. If they find out which ATM the money was withdrawn from before reporting it, it will greatly facilitate and speed up the work of criminal investigators, which means that the chance of catching the criminal will increase.
However, such cases can be easily avoided by never entering your board detailscard or mobile banking in unverified applications and without transferring them to anyone over the phone.
Richard the Hero – March 28, 2024
• Source: https://www.policie.cz/clanek/pozor-podvodnici-vymysleli-novy-system.aspx
According to experts, NGate has been active since November 2023 and is associated with a recent report by ESET, which focused on the increasing use cases of Progressive Web Application (PWA) and WebAPK to steal banking credentials from users from the Czech Republic. The researchers also write that in a number of cases, NGate was used for direct theft of cash.
The attacks of the new malware start with malicious SMS messages, automated calls with pre-recorded messages, or malicious advertising. All of this should force victims to install malicious PWA and then WebAPKs on their devices, as researchers have already described in a previous report.
Such applications do not require any permissions when installing and use the browser API in which they run to gain the necessary access to the device's hardware.
After installing WebAPK, the victim is tricked into installing NGate as well, and the malware activates the open source component NFCGate, which was developed by academic researchers for NFC experiments. This tool supports capture, retransmission, playback, and cloning functions, and does not always require root access to work.
Malware uses NFCGate to intercept NFC data from payment cards located in the immediate vicinity of the infected device, and then transmits the information to the attacker's device (directly or through a special server).
As a result, the attacker gets the opportunity to save this data in the form of a virtual card on his device, and then play the signal at an ATM that supports NFC for cash withdrawals, or make a PoS payment at the point of sale.
Although a PIN code will be required to withdraw cash from most ATMs, researchers are confident that it is not difficult to find it with the help of banal social engineering. For example, after a phishing PWA/WebAPK is installed, scammers call the victim, pretending to be bank employees, and report some security problem. Then they send an SMS to the user with a link to download NGate, passing off the malware as a special application for verifying an existing bank card and PIN code.
Once the victim scans the card with their device and enters the PIN code for "verification" in NGate, sensitive data will be shared with the attacker.
In the video below, ESET specialist Lukas Stefanko demonstrates that the NFCGate component in NGate can also be used to scan and intercept card data in the wallets and backpacks of people around them.
The specialist notes that in addition, the malware can be used to clone the unique IDs of some NFC access cards and tokens, which can help a hacker penetrate restricted areas.
ESET has posted a video on YouTube that analyzes how NGate works:
ESET reports that the Czech police have already caught one of the criminals carrying out such attacks in Prague. However, researchers fear that this tactic may become more widespread and poses a serious risk to Android users.
The company also emphasizes the potential danger arising from the cloning of access cards, transport tickets, ID badges, membership cards and other NFC carriers, explaining that money theft in this case is far from the only negative scenario.
To protect against such attacks, experts advise disabling NFC if it is not used all the time. It is also recommended to carefully study all the rights of the applications and revoke unnecessary ones, install banking applications only from the official website of the financial institution or from the Google Play Store, and also make sure that the application used is not WebAPK.
---------------
Criminal investigation officers detained a twenty-two-year-old foreigner who withdrew money from an ATM from foreign cards without having them with him physically. We are looking for new victims.
On March 20, in the morning hours, the operational headquarters received a report that a man in a suspicious mask had been leaving an ATM in Prague 1 for a long time. The detectives were on the scene in a few minutes, but the suspicious man was no longer there. at an ATM. To be sure, the detectives immediately began to check with the operations officer if any fraud had been reported in the area at the moment, and this concern was confirmed. The 50-year-old victim was already on her way to the police station, and detectives of the third and eleventh departments began immediate operational actions. They very quickly managed to track down the suspect through the camera system and shortly thereafter arrested him in a shopping center on Republic Square. The foreigner had more than one hundred and sixty thousand crowns in cash, and since he withdrew less than forty thousand from the victim's card, it was clear that this was far from the only unauthorized withdrawal of money from an ATM that day.
After interrogating the victim, the detectives found out that the scammers had come up with a new way to swindle money from people. Victims will receive an SMS that will contain information, such as overpayment of taxes and a link to a page where they need to enter their bank details so that they can be paid this money. After logging in, they will receive a call from a supposed bank employee who already has all the data about the victim's account and access to it. They will also inform them that their account has been hacked and that in order to save their funds, they need to change the PIN code on the card and that they should prepare it for themselves when the subsequent change is made through their own bank. mobile application. They will be sent a link to download the application if it is not an official bank application, but a fraudulent one. After downloading this application and logging in, they need to link a payment card to their mobile phone, while the NFC signal is transmitted to another mobile device, with which another fraudster is at the ATM and can safely withdraw money. Since they have access to their banking, it is not a problem for them to change the limits on the card as needed, for example, so that larger amounts can be withdrawn. However, if they fail to convince the victim to download the app, they will make a wire transfer to another account to which they have access.
The detained 22-year-old foreigner is in custody and is accused of committing the crime of unauthorized measures, forgery and counterfeiting of a means of payment, for which, if convicted, he could end up in prison for up to eight years.
At the same time, the last three victims were very lucky that the detectives found money in cash from them and it can be returned to them. Given that this man has been in Prague for a long time, there is an assumption that there may be more victims, so investigators ask everyone who has encountered a similar case to report everything to the nearest local police station. If they find out which ATM the money was withdrawn from before reporting it, it will greatly facilitate and speed up the work of criminal investigators, which means that the chance of catching the criminal will increase.
However, such cases can be easily avoided by never entering your board detailscard or mobile banking in unverified applications and without transferring them to anyone over the phone.
Richard the Hero – March 28, 2024
• Source: https://www.policie.cz/clanek/pozor-podvodnici-vymysleli-novy-system.aspx
