Cybercriminals have reportedly found a way to steal from smartphone users by extracting data read by their devices' near-field communications (NFC) chip.
The scam was revealed by ESET cybersecurity researchers, who said it includes progressive web apps (PWAs), advanced WebAPKs, and significant social engineering in a multi-step approach that requires a bit of naivety on the part of the victim.
But it's not just about stealing money, as NFC technology is used by many different services, including access cards, transport tickets and more, opening victims up to a potential world of pain.
Login to NGate
It all starts with an SMS message or automated call to the victim, in which the criminals impersonate the victim's bank and urge them to install a malicious PWA or WebAPK, claiming that these are important updates. Since these apps don't work the same way as classic apps, they don't require the same permissions. Instead, they gain the necessary access by abusing the browser's API.
Once that middle piece has been removed, the scammers call the victim, posing as a bank employee, and warn them of a security incident. The only way to protect their funds, the scammers explain, is to download an app that verifies the payment card and, more importantly, the PIN number.
The app is NGate, malware that can capture NFC data from payment cards near the infected device and then send it to the attackers, either directly or through a proxy. It does this through an open-source component called NFCGate, a research project that enables capture, relay, playback and cloning functions on the device.
Obviously, once the victim shares their PIN number, there is virtually nothing they can do. Criminals use the data to clone the card on their smartphones and either make cash withdrawals from ATMs or purchases at POS terminals.
Commenting on the findings, Google told the publication that Google Play Protect, Android's default security tool, detects this malware.
“Based on our current detections, no apps containing this malware have been found on Google Play.
Google generally does a good job of keeping its mobile app repository clean, and most fake and malicious apps tend to be hosted elsewhere on the internet. Therefore, the best way to stay safe is to download Android apps only from trusted sources.
Through Computer beeping
