A new type of scam is putting the security of ATM users at risk.
Cybercriminals are using NGate malware to clone physical payment cards and withdraw money without victims noticing. This attack has been detected by ESET, a renowned cybersecurity company, and takes advantage of NFC (Near Field Communication) technology, present in most smartphones with the Android operating system.
The ease with which mobile devices today allow for making payments has been used to the benefit of fraudsters, who have found in the NGate malware an effective tool to empty bank accounts. This type of attack represents a growing threat, especially for those users who use contactless payments through their mobile devices.
How does NGate malware work?
The NGate malware was first discovered in November 2023 in the Czech Republic, marking a significant shift in the way cybercriminals operate. The malware intercepts payment card data using NFC technology, which allows payments to be made by simply holding a mobile phone close to a terminal. While this technology offers convenience and speed, it has also opened the door to new types of attacks.
The process of stealing money with NGate begins with a common tactic: phishing. Criminals send SMS messages that appear to come from trusted banking institutions, urging users to download a supposedly official app or resolve an issue related to their account. However, the link accompanying this message leads to the download of an infected app that installs the NGate malware on the Android device.
Once installed, the NGate malware is activated when the user makes payments using NFC. This virus is able to capture payment card data and transmit this information to the attackers’ device. With the cloned data, cybercriminals can emulate the card using a linked Android phone and make ATM withdrawals or unauthorized purchases. This entire process occurs silently, without the victim noticing the theft until they check their bank account.
The tool behind the malware: NFCGate
The most worrying thing about the NGate case is that its underlying technology, NFCGate, was not created for malicious purposes. NFCGate is a legitimate platform, developed by students at the Technical University of Darmstadt in Germany. It was designed to capture, analyze and modify NFC traffic for research purposes. However, cybercriminals have been able to take advantage of this tool to steal information in a stealthy and effective way.
NFCGate was conceived as a research tool to better understand how NFC traffic works and its vulnerabilities. But, as with many technologies, how it is used depends on whose hands it falls into. In this case, it has been adapted by criminals to intercept sensitive user information.
Why is NFC attack so dangerous?
NFC is widely used on modern mobile devices, with more and more people using this technology to make quick, contactless payments. This expansion has led to growing concern among security experts, as malicious apps like NGate can intercept sensitive information in real time, exposing victims to theft of their funds.
What makes this type of attack so dangerous is that it happens without the user noticing. Unlike other forms of fraud, where suspicious behavior or red flags can be observed, the use of NGate leaves no visible traces. Victims only discover that they have been scammed when it is too late.
How to protect yourself from NGate malware and NFC attacks?
With cyberattacks like NGate becoming more sophisticated, it is critical that users take preventative measures to protect their mobile devices and financial information. Here are some key recommendations:
1) Avoid downloading apps from suspicious links: Phishing is the primary means by which attackers get victims to install malware on their devices. Users should be extremely cautious when downloading apps from links sent via SMS or email, even if they appear to come from legitimate sources such as banks. It is best to search for apps directly from official stores, such as Google Play.
2) Verify the authenticity of banking communications: If you receive a text message or email that appears to come from a bank, and it requests that you take urgent action, such as downloading an app or verifying your account, it is essential to contact the bank through its official channels before clicking on any links. Banks rarely send links in text messages, which makes these types of communications suspicious by default.
3) Disable NFC when not in use: Although NFC is a very convenient technology, it is not always necessary for most users. It is advisable to disable NFC when it is not actively being used. This way, you reduce the chance of malware capturing data in the background. For those who do not use NFC frequently, keeping it disabled is a simple but effective measure.