Researchers at ESET have uncovered a sophisticated crimeware campaign targeting customers of three major Czech banks. The malicious operation, which began in November 2023, employs a novel Android malware named “NGate,” designed to relay near field communication (NFC) data from victims' payment cards to attackers, enabling unauthorized ATM withdrawals.

The NGate malware attack involves techniques such as social engineering, phishing, and Android malware combined in a new and dangerous way. The attackers sent lure messages to random phone numbers, tricking recipients into believing they were interacting with their banks. These messages persuaded victims to download and install a malicious app on their Android devices.

Once installed, the NGate malware exploited the NFC capabilities of the victim's smartphone. It cloned the NFC data from physical payment cards and transmitted this data to the attacker's rooted Android device. The attacker could then emulate the victim's card to perform ATM withdrawals, bypassing the need for the physical card.

This is the first instance of Android malware using such an NFC relay technique in the wild. The method is based on a tool called NFCGate, originally developed by students at the Technical University of Darmstadt in Germany, to capture, analyze, or alter NFC traffic. By leveraging this tool, the attackers were able to create a highly effective method of stealing funds.

ESET researchers also noted that the attackers did not require the victims to root their devices, making the malware more accessible to a broader range of targets. The campaign’s primary goal was to facilitate unauthorized ATM withdrawals, but if that method failed, the attackers had a fallback plan to transfer funds from the victims’ accounts to other bank accounts.

According to ESET, the group responsible for this attack has been operating since late 2023, primarily in Czechia. Initially, the threat actor used malicious progressive web apps (PWAs) and WebAPKs to target victims. However, in March 2024, their technique evolved with the deployment of the NGate Android malware.

In March 2024, the Czech police arrested a a 22-year-old suspect in Prague allegedly linked to the NGate malware campaign.

Last week, ESET published a report warning of a new phishing campaign targeting mobile banking users in the Czech Republic, exploiting Progressive Web Applications (PWAs) to steal banking credentials.