Recent Android Ransomware NGate Decoys NFC Data to Duplicate Contactless Payment Cards

AndyC 26 August 2024

August 26, 2024Ravie LakshmananFinancial Fraud / Mobile Security

Cybersecurity researchers have discovered new Android ransomware that can transfer victims’ contactless payment data from physical credit and debit cards to a device controlle

New Android Malware NGate Steals NFC Data to Clone Contactless Payment Cards

August 26, 2024Ravie LakshmananFinancial Fraud / Mobile Security

New Android Malware NGate Steals NFC Data to Clone Contactless Payment Cards

Cybersecurity researchers have discovered new Android ransomware that can transfer victims’ contactless payment data from physical credit and debit cards to a device controlled by an attacker in order to carry out deceitful operations.

A cybersecurity firm based in Slovakia is monitoring the innovative ransomware named NGate, revealing that they have observed the criminal campaign focusing on three banks in Czechia.

The ransomware “possesses the distinct capability to transfer information from victims’ payment cards, by means of a malevolent application installed on their Android gadgets, to the attacker’s rooted Android phone,” as stated by researchers Lukáš Štefanko and Jakub Osmani in an analysis announced.

This operation is part of a comprehensive initiative discovered to have targeted financial institutions in Czechia since November 2023 utilizing malicious progressive web apps (PWAs) and WebAPKs. The initial documented use of NGate was in March 2024.

Cybersecurity

The ultimate objective of the assaults is to replicate near-field communication (NFC) data from victims’ physical payment cards utilizing NGate and transmit the details to a malicious device that then mimics the original card to withdraw money from an ATM.

NGate originates from a legitimate utility called NFCGate, initially developed in 2015 for security exploration purposes by students affiliated with the Secure Mobile Networking Lab at TU Darmstadt.

Clone Contactless Payment Cards

The attack sequences supposedly involve a blend of social manipulation and SMS phishing to deceive users into installing NGate by directing them to temporary domains mimicking legitimate banking websites or official mobile banking apps accessible on the Google Play store.

A maximum of six distinct NGate apps have been recognized thus far between November 2023 and March 2024, at which point the activities were ceased, presumably following the apprehension of a 22-year-old individual by Czech authorities linked to pilfering funds from ATMs.

NGate, besides exploiting the capabilities of NFCGate to intercept NFC data and relay it to another device, requests users to input confidential financial details, such as banking customer ID, birth date, and the PIN for their banking card. The phishing page is displayed within a WebView.

“It also instructs them to activate the NFC functionality on their smartphone,” the researchers mentioned. “Subsequently, victims are directed to place their payment card at the rear of their smartphone until the malevolent application detects the card.”

Clone Contactless Payment Cards

The assaults further adopt an surreptitious strategy where victims, post- installation of the PWA or WebAPK application through links distributed via SMS, have their credentials phished and subsequently receive calls from the adversary, impersonating a bank representative, informing them of their compromised bank account due to the app installation.

They are then instructed to modify their PIN and validate their banking card using an alternative mobile application (NGate), for which an installation link is also dispatched via SMS. There is no proof that these apps were disseminated through the Google Play Store.

Cybersecurity

“NGate leverages two distinct servers to enable its operations,” the researchers clarified. “The initial server is a phishing site crafted to entice victims to disclose sensitive information and is capable of initiating an NFC relay attack. The second server is an NFCGate relay server assigned to redirect NFC traffic from the victim’s device to the attacker’s device.”

The disclosure coincides with a report by Zscaler ThreatLabz outlining a new iteration of a renowned Android banking malware dubbed Copybara that spreads via voice phishing (vishing) assaults and deceives victims into providing their bank account credentials.

“This fresh strain of Copybara has been in circulation since November 2023 and makes use of the MQTT protocol to establish communication with its command-and-control (C2) server,” as elucidated by Ruchna Nigam stated.

“The malware exploits the accessibility service feature native to Android devices to exert detailed control over the infected device. Simultaneously, the malware proceeds to download counterfeit pages mimicking popular cryptocurrency exchanges and financial organizations using their logos and application names.”

Found this article interesting? Follow us on Twitter and LinkedIn for updated exclusive content.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

AndyC 20 December 2025
WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability

WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability

AndyC 20 December 2025
Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks

Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks

AndyC 20 December 2025
New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards

New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards

AndyC 20 December 2025
China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

AndyC 19 December 2025
HPE OneView Flaw Rated CVSS 10.0 Allows Unauthenticated Remote Code Execution

HPE OneView Flaw Rated CVSS 10.0 Allows Unauthenticated Remote Code Execution

AndyC 19 December 2025

You may have missed

Amazon Warns Perncious Fake North Korea IT Worker Threat Has Become Widespread

Randall Munroe’s XKCD ‘Fifteen Years’

AndyC 20 December 2025
Why AppSec Can’t Keep Up With AI-Generated Code

Google Shutting Down Dark Web Report Met with Mixed Reactions

AndyC 20 December 2025
Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

AndyC 20 December 2025
Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

AndyC 20 December 2025
Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

AndyC 20 December 2025

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.