Full Report
Android malware discovered by ESET Research relays NFC data from victims’ payment cards, via victims’ mobile phones, to the device of a perpetrator waiting at an ATM
Analysis Summary
# Tool/Technique: NGate
## Overview
NGate is an Android malware family uncovered in a crimeware campaign targeting clients of three Czech banks. Its unique purpose is to relay Near Field Communication (NFC) data from victims' physical payment cards, via their compromised Android smartphones, to an attacker's rooted Android device. This allows the attacker to emulate the card and perform unauthorized ATM withdrawals.
## Technical Details
- Type: Malware family
- Platform: Android
- Capabilities: Relay NFC data from victim cards to attacker device, utilize a fallback mechanism to transfer funds directly, capture device information (model, Android version, NFC info), potentially capture sensitive information via a phishing WebView. The technique is based on the open-source tool NFCGate.
- First Seen: Operation active since November 2023; NGate malware deployed starting March 2024.
## MITRE ATT&CK Mapping
- [T1660 - Initial Access]
- [T1660 - Phishing]
- [T1417.002 - Credential Access]
- [T1417.002 - Input Capture: GUI Input Capture]
- [T1426 - Discovery]
- [T1426 - System Information Discovery]
- [T1437.001 - Command and Control]
- [T1437.001 - Application Layer Protocol: Web Protocols]
- [T1509 - Command and Control]
- [T1509 - Non-Standard Port]
- [T1644 - Command and Control]
- [T1644 - Out of Band Data]
## Functionality
### Core Capabilities
- **NFC Data Relay:** Captures and relays NFC data from the victim's physical payment card through the infected Android device to an attacker-controlled device capable of emulating the card for ATM withdrawals.
- **Fund Transfer Fallback:** If the NFC relay method fails, the malware supports transferring funds directly from the victim's account to other bank accounts.
- **Information Gathering:** Extracts system information, including device model, Android version, and NFC capability details.
### Advanced Features
- **Phishing WebView:** Attempts to obtain sensitive information by displaying a malicious WebView pretending to be a banking service (GUI Input Capture).
- **C2 Communication:** Uses web protocols (JavaScript interface) over a non-standard port (5566) to communicate with the Command and Control (C2) server, specifically for exfiltrating NFC traffic (Out of Band Data).
- **Evolution of Delivery:** Initially used social engineering combined with Progressive Web Apps (PWAs) and later WebAPKs before deploying the NGate Android malware itself.
## Indicators of Compromise
- File Hashes:
- **SHA256:** E7AE59CD44204461EDBDDF292D36EEED38C83696, 103D78A180EB973B9FFC289E9C53425D29A77229, 11BE9715BE9B41B1C8527C9256F0010E26534FDB
- File Names: george\_klic.apk, george\_klic-0304.apk, rb\_klic.apk (Associated malware package names)
- Network Indicators:
- IP: 91.222.136[.]153 (Distribution website)
- IP: 104.21.7[.]213 (Phishing website hosted on workers[.]dev)
- IP: 172.187.98[.]211 (C2 server)
- IP: 185.104.45[.]51 (Distribution website)
- IP: 185.181.165[.]124 (C2 server)
- Domain: raiffeisen-cz[.]eu
- Domain: client.nfcpay.workers[.]dev
- Domain: app.mobil-csob-cz[.]eu
- Domain: nfc.cryptomaker[.]info
- Behavioral Indicators: Communication on TCP port 5566 for NFC traffic exfiltration; displays deceptive full-screen web views impersonating banking services.
## Associated Threat Actors
- An unnamed threat actor operating in Czechia since November 2023, believed to have been arrested in March 2024.
## Detection Methods
- Signature-based detection: Use known file hashes (MD5/SHA256) associated with the NGate variants (e.g., `Android/Spy.NGate.A`, `Android/Spy.NGate.C`).
- Behavioral detection: Monitor for Android applications exhibiting excessive interest in NFC subsystem data or unusual network communication on non-standard ports (like 5566) targeting external C2 infrastructure.
- YARA rules: Requires development based on analysis of the identified APK contents.
## Mitigation Strategies
- Strong user education regarding social engineering and link safety, especially concerning communications claiming to be from banks regarding taxes or security issues.
- Strict enforcement against installing applications from unknown sources outside official app stores (though the initial delivery involved WebAPKs/PWAs which bypass some standard store checks).
- Monitor network traffic for connections to listed malicious IPs or domains, particularly on port 5566.
## Related Tools/Techniques
- NFCGate: The open-source tool developed by students at the Technical University of Darmstadt, upon which the NGate malware technique is based.
- Progressive Web Apps (PWAs) / WebAPKs: Earlier stages of the campaign utilized these technologies for deceptive installation before migrating to dedicated Android malware.