There is nothing simpler than paying with your mobile. By simply bringing the device close to the store’s NFC reader, we can make the payment automatically and leave with our purchase; And the best part is that it is a secure system, which requires identification with our fingerprint or another method. But is it as safe as it should be?
A hacker attack campaign that It has been active since November 2023 proves that it is not. It is based on the NGate malware, and only now have ESET cybersecurity researchers figured out how it works and made it public; and the bad news is that steal our credit and debit cardsand emptying our bank account is very simple.
NGate is a “malware” capable of capturing data transmitted via the NFC connection; Normally, these types of connections are difficult to intercept due to their short range, which requires the attacker to pass a reader near our mobile phone when we make a purchase or withdraw money from an ATM.
NGate turns our mobile into a readerable to obtain information from nearby cards; To do this, it takes advantage of an open source component called NFCGate, developed to test and experiment with NFC connections.
The infection process is not simple, but if the user is not careful, he or she may fall into the trap. It all starts with a “phishing” process, in which hackers send messages or make automated calls to the victim; there have also been cases of malicious advertising. The goal of all these contacts is the same: to convince the victim that an application must be installed on your mobile to protect your bank account.
This malicious application pretends to be the official application of the victim’s bank, copying the icon and name; the application does not require additional permissions, which gives a sense of security, but in reality it is because it abuses the security of the web browser to not ask for them. Of course, it’s youa malicious application that will obtain our banking login information and will transfer the money from our account to the attackers’ account. But the attack doesn’t stop there.
During the installation process, NGate is installed, which will now use the mobile’s NFC to capture data from nearby cards; such as the cards of people walking past us on the street. As long as they are close enough to make a payment, NGate will be able to steal the data.
NGate transmits this data to the attacker’s device, either directly or via a server. With this information, the attacker can create a virtual copy of the map and use it to make purchases or withdraw money from an ATM. The PIN is obtained through “social engineering”: hackers call the victim, give them their card details to prove they belong to the bank, and ask them to install an app that requires the PIN to check if money has been stolen. Malware can also be used to copy access cards to high-security locations.
This malware has already been used to carry out attacks against users of three banks in the Czech Republic, although for the moment, There is no evidence that it was used in Europe.The good news is that the Czech police have already arrested one of the cybercriminals in Prague; the problem is that this method may spread to other countries.
After the publication of the security researchers, Google announced that Google Play Protect is now able to automatically detect NGate in the applications available in the store and in which users install it. Therefore, the best protection against this attack is to avoid installing applications from suspicious pages, especially if they pretend to come from our bank; we must remember that Bank employees will never ask us for information such as PIN numberand they also won’t ask us to install any applications other than the one we already use.