Think tap to pay is safer? New Android malware uses stolen NFC data to drain your accounts

A picture depicting how banking trojans steal credit card data
(Image credit: Shutterstock)

Switching from pin and chip cards to contactless ones seemed like the perfect way to stay safe from credit card skimmers. However, a new Android malware abuses the same technology used for tap and pay to steal payment data from unsuspecting victims.

As reported by The Hacker News, the malware in question has been dubbed NGate by security researchers at ESET, and it steals NFC data to clone contactless credit and debit cards on a hacker’s smartphone. With these cloned payment cards on their phone, they can drain a victim’s bank accounts by using them to withdraw funds at ATMs.

Here’s everything you need to know about this new Android malware strain and how to stay safe from hackers.

Impersonating banks to takeover phones

The NGate malware is based on a legitimate tool called NFCGate, originally created by students at TU Darmstadt’s Secure Mobile Networking Lab in 2015. In the years since, though, the technique used by this tool has been weaponized by hackers.

According to a new report from ESET, the attackers behind this recent NGate campaign use a combination of social engineering and SMS phishing to trick unsuspecting Android users into installing the malware directly. This is done through fake sites impersonating actual banks or their mobile apps on the Google Play Store.

Between November of last year and March of this year, as many as six different malicious apps spreading the NGate malware were identified. However, malicious activity slowed significantly after a 22-year-old was arrested by law enforcement in Czechia after they were found withdrawing funds using stolen cards at ATMs.

Once one of the malicious apps used to distribute the NGate malware is installed on a victim’s smartphone, it asks them to enter sensitive financial information, including their banking client ID, date of birth and the PIN code for their bank card via a phishing page presented with a WebView. However, they’re also asked to turn on NFC on their phone and instructed to place their debit or credit card up against it until the malicious app recognizes their card.

To make matters worse, victims also receive calls from their attacker, who pretends to be a bank employee that informs them their account has been compromised due to installing the malicious app in question. From there, victims are then asked to change their PIN and validate their card using another NGate app.

How to stay safe from advanced Android malware

A hand holding a phone securely logging in

(Image credit: Google)

At the moment, the NGate malware is only being used by hackers to target owners of the best Android phones in Czechia. However, like with other online threats, this one could easily spread to the U.S., the U.K., Canada, Australia and other countries around the world. For this reason, you need to be on the lookout for more complicated malware attacks like this one. 

To avoid getting infected with the NGate malware, ESET recommends that Android users only download apps from official app stores like the Google Play Store, Samsung Galaxy Store and the Amazon Appstore. You also want to carefully scrutinize the URLs of any websites you visit and avoid clicking on links in emails and messages from unknown senders.

As this attack abuses NFC to steal your bank and credit cards, you may want to consider turning this feature off when you’re not actively using it. It could also be worth investing in a phone case that blocks unwanted RFID scans, which can prevent hackers from using NFC to steal your payment cards. You may also want to consider using digital versions of your physical cards on your phone. These digital versions are stored securely on your device, and you can use biometrics like your fingerprint or a face scan to keep them even safer.

Since we are dealing with malware, you also want to ensure that Google Play Protect is enabled on your device, as it can scan all of your existing apps and any new ones you download for viruses. For additional protection, though, you should also consider using one of the best Android antivirus apps alongside it.

In an email to Tom's Guide, a Google spokesperson provided further insight on this new Android malware threat, saying:

"Based on our current detections, no apps containing this malware are found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play."

Hackers are always coming up with clever new ways to steal your hard-earned cash, and the NGate malware is the perfect example of this. However, if you take the necessary precautions and are careful online, you should have no problem at all avoiding falling victim to this new threat.

More from Tom's Guide

TOPICS
Anthony Spadafora
Managing Editor Security and Home Office

Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.