Beware! This new Android malware can steal your card details
Cybersecurity experts from ESET have uncovered a new method used by cybercriminals to steal data from smartphone users. The technique involves exploiting the near-field communications (NFC) chip in their devices. This multi-step scam requires a certain level of naivety from the victim, and employs progressive web apps (PWAs), advanced WebAPKs, and significant social engineering tactics. The implications of this scam extend beyond financial theft as NFC technology is used in various services such as access cards and transportation tickets.
The scam begins with a deceptive message
The scam commences with the victim receiving an SMS or an automated call, where the fraudsters impersonate their bank. They urge the victim to install a malicious PWA or WebAPK, claiming these are crucial updates. These apps operate differently from traditional ones and do not require similar permissions. Instead, they gain necessary access by exploiting the browser's API. After this stage, the scammers contact the victim again, posing as bank employees and alerting them about a security breach.
NGate: The malware that captures NFC data
The scammers then convince the victim to download an app called NGate, claiming it can verify their payment card and PIN number. This malware is capable of capturing NFC data from payment cards in close proximity to the infected device. It then transmits this information to the attackers, either directly or via a proxy. The transmission is facilitated through an open-source component known as NFCGate, which allows on-device capturing, relaying, replaying, and cloning features.
The aftermath of falling for the scam
Once the victim discloses their PIN number, the scammers can use this data to clone their card on their own smartphones. They can then make cash withdrawals from ATMs or make purchases at POS endpoints. Google has responded to these findings by stating that its default security tool, Google Play Protect, can detect this malware. "Based on our current detections, no apps containing this malware are found on Google Play," a representative from Google told BleepingComputer.
Here's how to mitigate the risk
To reduce the risk, disable your device's NFC if you're not using it. Head to Settings > Connected devices > Connection preferences > NFC and toggle it off. If you need NFC to be active at all times, carefully review app permissions and restrict access only to necessary apps. Install banking apps only from the official website or Google Play, and verify that the app isn't a WebAPK. WebAPKs are usually very small, installed directly from a browser.
