A team of cybersecurity researchers detected a new type of malware that abuses technology NFC to extract money from ATMs and carry out unauthorized transactions. It is a combination of known social engineering techniques together with a new virus called NGate.
Cyber attackers drop this program on the victim’s phone, usually through malicious SMS (“smishing”) that call the user to install an application that, with the official logo of a bank or fintech, pretends to be legitimate but is not. Once on the victim’s device, a series of steps are initiated to clone the NFC chip.
NFC (Near Field Communication) technology, which is embedded in most phones, manages short-range wireless communications and is used to transfer data between nearby devices. UPLOADFor example, you can charge via NFC. A transaction at a POS, when you tap a contactless card, is done via NFC.
“The NGate malware exploits this technology to carry out attacks relayintercepting and retransmitting NFC data read by the phone from credit cards, allowing unauthorized transactions. Basically, makes the cashier believe that the card is physically there, when in reality it is a phone that receives the information from a card that is in the victim’s cell phone,” he explained to Clarion Dan Borgogno, hacker and security engineer at LatuSeguros.
The problem with this technology is that, as can be seen, while it is very practical and -generally- safe (as the contact has to be close, precisely to avoid someone being able to “charge” us something from a distance without us knowing), it can also represent an attack vector.
How Ngate works
“The attack begins with the delivery of the NGate malware, which is typically introduced into mobile devices through social engineering methods such as phishing emails, SMS messages, or the download of malicious applications disguised as legitimate software. Once installed, NGate establishes itself on the device and is configured to operate silently in the background,” Martina López, a Computer Security Researcher at the company, explained in an interview with this media outlet. ESET Latin America.
This dynamic of operating in the background is typical of banking Trojans, one of the biggest threats in the banking world: programs that imitate legitimate applications and that, once the user enters their access credentials, they capture them.
“The key functionality of this malicious code lies in its ability to intercept NFC communication on the compromised device, exploiting this technology by capturing the data transmitted when a payment card is used near the infected device. This includes sensitive information such as the card number or its expiration date, the specialist continued.
Once NGate has captured this data, the attacker can replicate that NFC signal, send it to servers controlled by the attackers, and make fraudulent purchases or withdraw money. “In addition, NGate can be accompanied by other malicious components that reinforce its presence on the device, ensuring that the malware is not easily removed and that data continues to flow to the attackers continuously,” added López.
“This attack was detected in the Czech Republic, but given the global nature of cyberattacks and the ease with which tools and techniques can be shared on cybercriminal forums (for free or for a fee), it is entirely possible that this type of threat could reach the region. In addition, the adoption of NFC technology in Latin America is growing, which could attract cybercriminals.” interested in replicating this attack model“, Lopez concluded.
Security measures: how to avoid falling prey to these attacks
The ESET specialist reviewed with Clarion There are a number of measures that can help mitigate these attacks. Although they may seem sophisticated and complex, these types of campaigns are more common than users think, so it is worth taking precautions to avoid this type of account draining.
- First of all, users should be extremely cautious when installing applications on their mobile devices. It is advisable to download software only from official stores, such as Google Play Store or Apple App Store, and to avoid applications from unknown or suspicious sources, which are often vehicles for malware delivery.
- Additionally, keeping the device’s operating system and apps up to date is crucial, as updates often include security patches that fix vulnerabilities exploitable by malware such as NGate. Disabling NFC when not in use is another effective preventative measure, as it reduces the window of opportunity for malware to capture sensitive data.
- Mobile security solutions also play an essential role. Using up-to-date malware detection tools can help identify and neutralize threats before they compromise device security. Implementing anti-phishing measures is also important, as many infections begin with a trick that lures the user into downloading malicious software.
- Finally, user awareness is key. Understanding how these attacks work and being alert to unusual device behavior, such as increased battery consumption or the appearance of unknown applications.