Android malware used to steal ATM info from customers at three European banks

A strain of malware built for Android devices was used by cybercriminals to rob three Czech banks in a campaign uncovered over the last nine months. 

Researchers from Slovakia-based cybersecurity firm ESET named the malware NGate and said it was used by cybercriminals as part of a  larger string of attacks where hackers set up malicious banking applications that were nearly identical to legitimate European ones in an effort to steal user data in an elaborate phishing scheme.

But Lukáš Štefanko, who discovered the novel threat and technique, explained that the malware used in the attacks on Czech victims stood out because it has the ability to relay someone’s payment cards through a malicious app installed on a victim’s Android device. 

Štefanko said the hackers discovered a way to relay near field communication (NFC) data from the victims’ physical payment cards through their compromised Android smartphones to the attacker’s device.

From there, the hackers used the stolen data to conduct ATM transactions and if this failed, the hackers had a backup plan of simply transferring funds from the victim’s bank account to other accounts. 

“We haven’t seen this novel NFC relay technique in any previously discovered Android malware,” Štefanko said.

‘Place your card here’

The cybercriminals behind the campaign were able to convince victims to download the malicious app after sending phishing messages purporting to be from the person’s bank. The messages claimed their device was compromised and that the victims would need to download an app to resolve the issue — inadvertently infecting their device in the process. 

The app was never available in the official Google Play store and most victims downloaded the app from a link sent over text. The malware was delivered through domains made to look like banking websites or official mobile banking apps. 

Once NGate is installed, it shows a fake website that asks the victim to enter banking information like client IDs, dates of birth, PIN codes and more. 

The app also asks victims to turn on the NFC feature of their devices and to place their payment card on the back of their smartphone until the malicious app registers the card. 

The hackers then use the NFCGate tool — which was built to relay NFC data between two devices — to steal the card information. 

ESET researchers have been tracking the activities of the actors behind the campaign since November 2023, noting that they operated in Czechia. They saw the group specifically target the customers of prominent Czech banks in November.

They noted that the group stopped operating for a period of time after the alleged arrest of an unnamed member in March 2024.

But ESET added that this is the first time they had ever seen Android malware with this kind of capability used in the wild. 

Štefanko urged people to be more wary online before taking any actions, checking the URLs of websites, keeping PIN numbers secure and turning off the NFC function when it is not needed. He also suggested using virtual cards — which give people temporary card information they can enter on websites.