ESET researchers uncovered NGate, a novel Android crimeware that relays NFC data from victims’ payment cards to attackers for unauthorized ATM withdrawals, without rooting the victims’ devices. The campaign evolved from PWAs to WebAPKs before NGate, using phishing to install the malware on Czech bank clients and was subsequently linked to arrests by Czech authorities. Hashtags: #NGate #NFCGate #RaiffeisenCZ #CSOB #Czechia #ATM #NFC #NFCRelay #WebAPK #PWA #ESET #WeLiveSecurity
Keypoints
- Attackers combined social engineering, phishing, and Android malware in a novel attack sequence targeting Czech bank clients.
- The operation has been active since November 2023, starting with PWAs and WebAPKs, then advancing to the NGate Android malware by March 2024.
- NGate can clone NFC data from victims’ payment cards and relay it to an attacker’s device to enable unauthorized ATM withdrawals.
- This is the first known instance of Android malware with NFC relay capabilities observed in the wild.
- Victims were tricked into installing the malware via phishing messages about tax returns, without needing to root their devices.
- The Czech police arrested a suspect and recovered stolen funds, with evidence suggesting the total theft was higher than recovered.
MITRE Techniques
- [T1660] Phishing – NGate has been distributed using dedicated websites impersonating legitimate services. – “NGate has been distributed using dedicated websites impersonating legitimate services.”
- [T1417.002] Input Capture: GUI Input Capture – NGate tries to obtain victims’ sensitive information via a phishing WebView pretending to be a banking service. – “NGate tries to obtain victims’ sensitive information via a phishing WebView pretending to be a banking service.”
- [T1426] System Information Discovery – NGate can extract information about the device including device model, Android version, and information about NFC. – “NGate can extract information about the device including device model, Android version, and information about NFC.”
- [T1437.001] Application Layer Protocol: Web Protocols – NGate uses a JavaScript interface to send and execute commands to compromised devices. – “NGate uses a JavaScript interface to send and execute commands to compromised devices.”
- [T1509] Non-Standard Port – NGate uses port 5566 to communicate with its server to exfiltrate NFC traffic. – “NGate uses port 5566 to communicate with its server to exfiltrate NFC traffic.”
- [T1644] Out of Band Data – NGate can exfiltrate NFC traffic. – “NGate can exfiltrate NFC traffic.”
Indicators of Compromise
- [File hash] CSOB-related samples – 7225ED2CBA9CB6C038D8, 615A47423E45522A9AD1, and 4 more hashes (csob_smart_klic.apk)
- [File hash] George-related samples – DA84BC78FF2117DDBFDC, BA4E5C4E3666EEA2013E (george_klic.apk)
- [File hash] George-0304 sample – E7AE59CD44204461EDBD, DF292D36EEED38C83696
- [File hash] RB-related samples – 103D78A180EB973B9FFC, 289E9C53425D29A77229, and 2 more hashes (rb_klic.apk)
- [File hash] RB-related sample – 11BE9715BE9B41B1C852, 7C9256F0010E26534FDB (rb_klic.apk)
- [Domain] NGate distribution and phishing infrastructure – raiffeisen-cz.eu, app.mobil-csob-cz.eu, and 2 more domains
- [IP] NGate infrastructure hosts – 91.222.136.153 (NGate distribution website), 104.21.7.213 (phishing website) and other IPs
Read more: https://www.welivesecurity.com/en/eset-research/ngate-android-malware-relays-nfc-traffic-steal-cash/