A new Android malware called NGate can steal victims' contactless payment data from physical credit and debit cards and send it to a rooted Android phone controlled by the cybercriminals.

NGate asks users to enable the network file copy (NFC) feature on their smartphone and then "place their payment card at the back of their smartphone until the malicious app recognizes the card."

The malicious app also asks victims to enter sensitive financial information and can capture NFC traffic and send it to another device.

The threat actor then calls the victim pretending to be a bank employee and tells the victim that their bank account has been compromised. The threat actor instructs the victim to change their PIN and validate their financial card using an installation link for the malware that the threat actor sends through SMS.

Cybersecurity researchers discovered the malware in March 2024 as part of a crimeware campaign targeting three banks in Czechia. Cybercriminals spread NGate malware through malicious progressive web apps (PWAs) and WebAPKs.

According to the researchers, the goal of the campaign "is to clone near-field communication (NFC) data from victims' physical payment cards using NGate and transmit the information to an attacker device that then emulates the original card to withdraw money from an ATM."

Researchers believe the cybercriminals use "a combination of social engineering and SMS phishing to trick users into installing NGate by directing users to short-lived domains impersonating legitimate banking websites or official mobile banking apps available on the Google Play store."

However, there is no evidence that the malware was spread on the Google Play Store. Google Play Protect automatically protects users from known versions of NGate, even when an app is downloaded from a third party. Ravie Lakshmanan "New Android Malware NGate Steals NFC Data to Clone Contactless Payment Cards" thehackernews.com (Aug. 26, 2024).

Commentary

Never download an app or software in response to an unsolicited email, phone call, or text message, even if the sender claims to be an employee at your bank. Cybercriminals will often pretend to be from trusted institutions, or even someone you know, in order to get you to download malware.

Do not download software from a website to which you are redirected.

Also, do not trust any apps that ask for more permission than they should need to perform their stated operation. Do not use third-party apps for any financial transactions, as such apps could contain malware.

Here are some additional general facts about malware:

• Malware stands for "malicious software."
• Malware includes viruses, spyware, adware, worms, trojans, rootkits, and bots.
• Malware can infect computers, mobile phones, and other mobile devices.
• Malware can monitor online activity; steal confidential information; corrupt or hamper devices, slow network performance; and even take control of your devices.
• Criminals use malware to steal identities; send out spam; or to extort money.
• Malware is often embedded into freeware and spam.