The Rise of NGate: A Unique Crimeware Campaign Targeting Czech Banks

ESET researchers recently unveiled a sophisticated crimeware campaign that specifically targeted clients of three Czech banks. This campaign utilized a new malware strain dubbed NGate, which possesses a remarkable capability to relay data from victims’ payment cards through a malicious app on their Android devices to the attacker’s rooted Android phone.

Key Highlights:

• Attackers employed a combination of social engineering, phishing, and Android malware to craft a novel attack scenario, targeting customers of three banks.
• Based on data from ESET Brand Intelligence Service, the group behind this campaign has been active in Czechia since November 2023, initially using phishing via progressive web apps (PWAs) and WebAPKs, later advancing to NGate Android malware in March 2024.
• NGate allowed attackers to clone NFC data from victims’ physical payment cards and relay it to facilitate unauthorized ATM withdrawals.
• This marks the first instance of Android malware with NFC relay capabilities in the wild.
• Victims did not need to root their devices for the attack to occur.

The primary objective of this campaign was to enable illicit ATM withdrawals from victims’ bank accounts by leveraging the near field communication (NFC) data extracted from their physical payment cards through compromised Android smartphones using NGate malware. The attackers could then utilize this data for ATM transactions or transferring funds to other accounts if the ATM withdrawal failed.

Evolution of the Attack:

Initially, attackers utilized PWAs and WebAPKs to target clients of Czech banks. This evolved into the deployment of NGate malware, which leveraged a novel NFC relay technique to extract and relay victims’ payment card data. The attackers honed their techniques over time, adapting to the changing security landscape to maximize their fraudulent gains.

Victimology and Impact:

During the investigation, we identified six distinct NGate apps tailored for clients of the three targeted banks in Czechia. The arrest of a 22-year-old suspect in Prague with significant cash on hand highlights the tangible financial impact of this scheme and underscores the need for heightened vigilance against such virtual crimes.

Technical Analysis and Prevention:

NGate malware employs sophisticated techniques to deceive victims and extract sensitive information, emphasizing the importance of safeguarding against phishing, social engineering, and Android malware. Implementing security measures such as verifying website authenticity, downloading apps only from official sources, and keeping PIN codes confidential can bolster defenses against such attacks.

Conclusion:

The NGate crimeware campaign represents a significant threat landscape evolution, combining traditional phishing methods with advanced malware capabilities to defraud banking customers. While the immediate impact may have been contained in Czechia, the potential for expansion to other regions remains a concern, necessitating continued vigilance and robust security practices.

For inquiries regarding our research or threat intelligence services, contact us at threatintel@eset.com.