Recently a new malware has been discovered by cybersecurity researchers named NGate, targeting contactless payment data by capturing NFC (Near Field Communication) data from credit and debit cards through a malicious app.
In the analysis, researchers Lukáš Štefanko and Jakub Osmani said this malware has the unique ability to relay data from victims’ payment cards to the attacker’s Android phone using a malicious app installed on their Android devices. It has been observed by Slovak cybersecurity company that this malware is also linked with the crimeware campaign which targeted three banks in Czechia.
The attackers use Smishing to trick victims into installing NGate. Once installed on your device, it captures NFC data and sends it to an attacker-controlled phone, which can clone your card and withdraw cash from ATMs.
NGate has been a part of a broader attack strategy involving malicious progressive web apps (PWAs) and WebAPKs since November 2023. Researchers have identified six different NGate apps between November 2023 and March 2024, with the campaign appearing to pause following the arrest of a 22-year-old suspect in Czechia involved in ATM thefts.
NGate employs two servers: one for phishing and capturing sensitive information, and another, the NFCGate relay server, for redirecting the NFC data to the attacker’s device. This attack underscores the need for improving security measures against evolving cyber threats.
