Recent research from cybersecurity firm ESET provides details about a new attack campaign targeting Android smartphone users.
The cyberattack, based on both a complex social engineering scheme and the use of new Android malware, is capable of stealing users' near-field communication data to withdraw cash from NFC-enabled ATMs.
Constant technical improvements from the threat actor
As noted by ESET, the threat actor initially exploited Progressive Web App technology, which allows for the installation of an app from any website outside of the Play Store. This technology can be used with supported browsers, such as Chromium-based browsers on desktop computers or Firefox, Chrome, Edge, Opera, Safari, Orion, and Samsung Internet Browser.
PWAs, which are accessed directly through browsers, are flexible and usually do not present compatibility issues. Once installed on systems, PWAs can be recognized by their icon, which displays a small additional icon in the browser.
Cybercriminals use PWAs to direct unsuspecting users to full-screen phishing websites to collect their credentials or credit card information.
The threat actor involved in this campaign moved from PWAs to WebAPKs, a more advanced type of PWA. The difference is subtle: PWAs are apps built using web technologies, while WebAPKs use a technology to integrate PWAs as native Android apps.
From an attacker's perspective, using WebAPK is stealthier because its icons no longer display a small browser icon.
The victim downloads and installs a standalone application from a phishing website. The victim does not request any additional permission to install the application from a third-party website.
These fraudulent websites often imitate parts of the Google Play Store to create confusion and make the user believe that the installation is actually coming from the Play Store, when in fact it is coming directly from the fraudulent website.
NGate malware
On March 6, the same distribution domains used for the observed PWA and WebAPK phishing campaigns suddenly started spreading a new malware called NGate. Once installed and executed on the victim’s phone, it opens a fake website that requests the user’s banking information, which is sent to the threat actor.
However, the malware also incorporates a tool called NFCGate, a legitimate tool that allows NFC data transmission between two devices without the device needing to be rooted.
Once the user has provided banking information, that person receives a request to activate the NFC function from their smartphone and place their credit card against the back of their smartphone until the application successfully recognizes the card.
Complete social engineering
While enabling NFC for an app and having a payment card recognized may initially seem suspicious, the social engineering techniques deployed by threat actors explain the scenario.
The cybercriminal sends an SMS message to the user, mentioning a tax return and including a link to a phishing website that impersonates banking companies and leads to a malicious PWA. Once installed and executed, the app requests the user's banking credentials.
At that point, the threat actor calls the user, posing as the banking company. The victim is informed that their account has been compromised, likely due to the previous SMS. The user is then asked to change their PIN and verify bank card details using a mobile app to protect their bank account.
The user then receives a new SMS with a link to the NGate malware app.
Once installed, the app requests the activation of the NFC function and the recognition of the credit card by pressing it against the back of the smartphone. The data is sent to the attacker in real time.
Monetizing stolen information
The information stolen by the attacker can be used to carry out common frauds: withdrawing funds from a bank account or using credit card information to purchase products online.
However, the NFC data stolen by the attacker allows him to emulate the original credit card and withdraw money from ATMs that use NFC, representing a previously unreported attack vector.
Scope of the attack
ESET's investigation revealed that the attacks occurred in the Czech Republic, as only banking companies in that country were targeted.
A 22-year-old suspect was arrested in Prague. He was found to be in possession of around 6,000 euros ($6,500). According to Czech police, this money was the result of the robbery of the three most recent victims, suggesting that the perpetrator stole much more during this campaign of attacks.
However, as ESET researchers write, “the possibility of its expansion to other regions or countries cannot be ruled out.”
It is likely that more cybercriminals will use similar techniques to steal money via NFC in the near future, especially as this system becomes increasingly popular among developers.
How to protect yourself from this threat
To avoid falling victim to this cyber campaign, users should:
- Check the source of the apps you download and carefully examine URLs to ensure their legitimacy.
- Avoid downloading software from outside official sources, such as the Google Play Store.
- Avoid sharing your payment card PIN. No bank will ever ask you for this information.
- Use digital versions of traditional physical cards, as these virtual cards are stored securely on the device and can be protected with additional security measures such as biometric authentication.
- Install security software on mobile devices to detect malware and unwanted applications on the phone.
Users should also disable NFC technology on their smartphones when not in use, which protects them from further data theft. Attackers can read card data through unattended wallets, purses and backpacks in public places. They can use the data to make small contactless payments. Protective cases can also be used to create an effective barrier against unwanted scans.
If you have any questions about a call from a banking employee, hang up and call the bank's usual contact, preferably from another phone.
Divulgation: I work for Trend Micro, but the opinions expressed in this article are my own.