Cybersecurity researchers have identified a new Android malware named NGate that is capable of relaying victims' contactless payment data from physical credit and debit cards to a device controlled by attackers. This enables the execution of fraudulent transactions.
The Slovak cybersecurity firm has been tracking this novel malware and observed that it specifically targets three banks in Czechia. According to researchers Lukáš Štefanko and Jakub Osmani, "NGate has the unique ability to relay data from victims' payment cards, via a malicious app installed on their Android devices, to the attacker's rooted Android phone."
These activities are part of a larger campaign that has been targeting financial institutions in Czechia since November 2023, utilizing malicious progressive web apps (PWAs) and WebAPKs. The earliest recorded instance of NGate's use dates back to March 2024.
The primary objective of these attacks is to clone near-field communication (NFC) data from the victims' physical payment cards using NGate. This data is then transmitted to an attacker device that emulates the original card to withdraw cash from ATMs.
NGate is derived from a legitimate tool called NFCGate, which was originally developed in 2015 for security research by students at the Secure Mobile Networking Lab at TU Darmstadt.
The attack methods are believed to involve a mix of social engineering and SMS phishing, luring users into installing NGate by directing them to short-lived domains that mimic legitimate banking websites or official mobile banking apps on the Google Play Store.
From November 2023 to March 2024, six different NGate apps were identified. The activities likely ceased following the arrest of a 22-year-old by Czech authorities for ATM fund theft.
In addition to exploiting NFCGate's capabilities to capture and relay NFC traffic, NGate prompts users to provide sensitive financial details, such as their banking client ID, date of birth, and PIN code, using a phishing page presented within a WebView. "It also asks them to turn on the NFC feature on their smartphone," the researchers noted. "Then, victims are instructed to place their payment card at the back of their smartphone until the malicious app recognizes the card."
The attacks take a more deceptive route by having victims install the PWA or WebAPK apps through links sent via SMS. After capturing the victims' credentials, the attackers impersonate bank employees, calling the victims to warn them that their bank accounts have been compromised due to the installation of the malicious app.
Victims are then advised to change their PIN and validate their banking card using another mobile app, namely NGate. The link to install NGate is also sent through SMS. There is no evidence to suggest that these apps were available on the Google Play Store.
"NGate uses two distinct servers to facilitate its operations," the researchers explained. "The first is a phishing website designed to lure victims into providing sensitive information and capable of initiating an NFC relay attack. The second is an NFCGate relay server tasked with redirecting NFC traffic from the victim's device to the attacker's."
This discovery comes alongside Zscaler ThreatLabz's report on a new variant of the Android banking trojan known as Copybara, which is propagated through voice phishing (vishing) attacks to trick users into providing their bank account credentials. "This new variant of Copybara has been active since November 2023 and uses the MQTT protocol to establish communication with its command-and-control (C2) server," said Ruchna Nigam.
"The malware exploits the accessibility service feature native to Android devices to exert granular control over the infected device. Additionally, the malware downloads phishing pages in the background that mimic popular cryptocurrency exchanges and financial institutions, using their logos and application names.
August 26, 2024
August 26, 2024
August 26, 2024
November 28, 2023
December 10, 2025
October 16, 2024
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067
