Cybercriminals have reportedly found a way to steal from smartphone users by exfiltrating the data read by their device’s near-field communications (NFC) chip.
The scam was revealed by cybersecurity researchers at ESET, who said it includes progressive web apps (PWA), advanced WebAPKs, and significant social engineering in a multi-step approach that requires a bit of naivety from the victim.
But it’s not just about stealing money, as many different services use NFC technology – including access cards, transportation tickets, and more, opening victims up to a potential world of hurt.
Enter NGate
It all starts with an SMS message, or an automated call to the victim, in which the crooks impersonate the victim’s bank and urge them to install a malicious PWA or a WebAPK, claiming they were important updates. Since these apps don’t work in the same manner as classic apps, they don’t require the same permissions. Instead, they get the necessary access by abusing the browser’s API.
Once that part is out of the way, the fraudsters call up the victim, impersonating a bank employee, and warn them of a security incident. The only way to secure their funds, the scammers explain, is to download an app that verifies the payment card, and more importantly – the PIN number.
The app is NGate, the malware that can capture NFC data from payment cards close to the infected device, and then send it to the attackers, either directly, or via a proxy. It does so through an open-source component called NFCGate, a research project that allows on-device capturing, relaying, replaying, and cloning features.
Obviously, once the victim shares their PIN number, it’s mostly game over. The crooks would use the data to clone the card on their smartphones, and either make cash withdrawals from ATM machines, or make purchases on POS endpoints.
Commenting on the findings, Google told the publication that Google Play Protect, Android’s default security tool, detects this malware.
“Based on our current detections, no apps containing this malware are found on Google Play.
Generally, Google is doing a solid job at keeping its mobile app repository clean, and the majority of fake and malicious apps are usually hosted elsewhere around the internet. Therefore, the best way to remain secure is to only download Android apps from reputable sources.
Via BleepingComputer
