NGate: Novel Android malware for unauthorized ATM withdrawals via NFC relay
While theoretical NFC relay attacks have been discussed for years, real-world attacks remain rare – especially successful ones. Dive with us into NGate, the first publicly known, in-the-wild, Android malware that used an NFC relay attack to facilitate remote ATM withdrawals, and successfully stole thousands from victims in Czechia early in 2024 – with a little help from social engineering and phishing.
These attacks started in Czechia in November 2023. Initially, the attackers took advantage of progressive web apps (PWAs), which are essentially websites that function like mobile apps. They then advanced their tactics by using a more complex form of PWAs called WebAPKs. This progression led to the final step of their attack: distribution of the NGate malware.
To spice things up, we’ll delve into NFCGate, the legitimate, open-source, NFC research toolkit that the NGate malware is based on, and explain two additional attack scenarios that can be achieved using the same tooling. During our presentation, we will demonstrate NFC attacks against contactless payments, and NFC token cloning. We will show how attackers can use a smartphone to scan contactless cards in public places, enabling them to make payments simultaneously at a remote terminal. Additionally, we will demonstrate how an attacker can clone the UID of MIFARE Classic 1k NFC contactless smartcards to gain access to restricted areas.
Lukas Štefanko – ESET
Lukas Štefanko is an experienced malware researcher with a strong engineering background and a well-demonstrated focus on Android malware research and security. With more than 13 years’ experience with malware, he has been focusing on improving detection mechanisms of Android malware and in the past couple of years has made major strides towards heightening public awareness around mobile threats and app vulnerabilities. He has presented at several security conferences such as RSA, Virus Bulletin, Confidence, DefCamp, BountyCon, AVAR, CARO Workshop, Infoshare, Ekoparty, and Copenhagen CyberCrime.