Android malware that copies and transmits data from NFC cards has been found in the wild by Slovak IT security company ESET. Over several months, third-party accounts in three Czech banks were emptied. A suspect has been in custody since March, but copycats are probably only a matter of time. The malware, called NuGate, is said to be based on software that students at the Technical University of Darmstadt wrote and published for research purposes.
Advertisement
This software is called nfcgate and captures, analyzes and modifies data transmitted over an NFC connection. The aim is to deepen the understanding of transmission protocols and determine their security. According to ESET, unknown persons used the Darmstadt code to program the NFC malware NGate for illegal purposes.
NFC stands for Near Field Communication; it is a more than 20-year-old process of contactless transmission of data over a distance of just a few centimeters. For example, NFC chips are used in mobile phones, access cards, travel documents and bank cards. Thanks to NFC, most German consumers now make contactless payments. Bank cards with NFC have long been the standard in the Czech Republic as well. The criminal or criminals took advantage of this.
Multi-stage attack
The attacks began with text messages, which were probably sent to random Czech cell phone numbers. It promised the payment of tax credits, which required the installation of a linked app that runs directly in the browser (Progressive Web App, WPA). No, that was not NFC malware yet. Anyone who installed the app and entered their bank details gave the criminals access to their bank account. This was followed by a call from a person who played the role of a “helpful bank employee”. This person informed the victim (factually correct) that he had been the victim of an IT attack.
According to the story, the “necessary measure” was to install another app so that you can change the PIN of your bank card immediately. To do this, the victim was sent to websites imitating the Google Play Store to download and install the NGate malware. That was NFC malware. (ESET did not find it in the real Google Play Store.) The software mimics the interface of real banking apps and asks for the customer number, date of birth and PIN. It also instructs the user to place the appropriate bank card on the device. If necessary, it is also necessary to turn on NFC on the cell phone.
In fact, none of these are intended to protect the bank account; rather, the malware sends the PIN and NFC data to the criminal’s rooted Android phone. In the Czech Republic, a masked man went to an NFC-enabled ATM with a cell phone and withdrew money from someone else’s account. Thanks to access to the victim’s online banking through the first app, the criminals were able to increase the withdrawal limit.
Root not required
By the way, the victims’ cell phones did not need to be rooted. ESET emphasizes. Its researchers have discovered NuGate variants for six different check banks, always signed with the same developer certificate.
Successful attacks on customers of three Czech banks are known. When Czech police arrested a 22-year-old suspect in March, he had more than 6,000 euros on him. The cash is said to have come from only his three previous victims, so the amount of damage is likely to be many times greater. Police appealed for the victimsto file a report and possibly let them know at which ATM their account was serviced.
By the way: If the criminals were unable to install NFC malware on the victim, they were happy to enrich themselves by making a transfer to someone else’s account. The first app was enough for this, without any NFC.
(DS)
