Newly discovered Android malware steals payment card data using an infected device’s NFC reader and relays it to attackers, a novel technique that effectively clones the card so it can be used at ATMs or point-of-sale terminals, security firm ESET said.
ESET researchers have named the malware NGate because it incorporates NFCGate, an open source tool for capturing, analyzing, or altering NFC traffic. Short for Near-Field Communication, NFC is a protocol that allows two devices to wirelessly communicate over short distances.
New Android attack scenario
“This is a new Android attack scenario, and it is the first time we have seen Android malware with this capability being used in the wild,” ESET researcher Lukas Stefanko said in a video demonstrating the discovery. “NGate malware can relay NFC data from a victim’s card through a compromised device to an attacker’s smartphone, which is then able to emulate the card and withdraw money from an ATM.”
Lukas Stefanko—Unmasking NGate.
The malware was installed through traditional phishing scenarios, such as the attacker messaging targets and tricking them into installing NGate from short-lived domains that impersonated the banks or official mobile banking apps available on Google Play. Masquerading as a legitimate app for a target’s bank, NGate prompts the user to enter the banking client ID, date of birth, and the PIN code corresponding to the card. The app goes on to ask the user to turn on NFC and to scan the card.
ESET said it discovered NGate being used against three Czech banks starting in November and identified six separate NGate apps circulating between then and March of this year. Some of the apps used in later months of the campaign came in the form of PWAs, short for Progressive Web Apps, which as reported Thursday can be installed on both Android and iOS devices even when settings (mandatory on iOS) prevent the installation of apps available from non-official sources.
The most likely reason the NGate campaign ended in March, ESET said, was the arrest by Czech police of a 22-year-old they said they caught wearing a mask while withdrawing money from ATMs in Prague. Investigators said the suspect had “devised a new way to con people out of money” using a scheme that sounds identical to the one involving NGate.
Stefanko and fellow ESET researcher Jakub Osmani explained how the attack worked:
The announcement by the Czech police revealed the attack scenario started with the attackers sending SMS messages to potential victims about a tax return, including a link to a phishing website impersonating banks. These links most likely led to malicious PWAs. Once the victim installed the app and inserted their credentials, the attacker gained access to the victim’s account. Then the attacker called the victim, pretending to be a bank employee. The victim was informed that their account had been compromised, likely due to the earlier text message. The attacker was actually telling the truth – the victim’s account was compromised, but this truth then led to another lie.
To “protect” their funds, the victim was requested to change their PIN and verify their banking card using a mobile app – NGate malware. A link to download NGate was sent via SMS. We suspect that within the NGate app, the victims would enter their old PIN to create a new one and place their card at the back of their smartphone to verify or apply the change.
Since the attacker already had access to the compromised account, they could change the withdrawal limits. If the NFC relay method didn’t work, they could simply transfer the funds to another account. However, using NGate makes it easier for the attacker to access the victim’s funds without leaving traces back to the attacker’s own bank account. A diagram of the attack sequence is shown in Figure 6.
The researchers said NGate or apps similar to it could be used in other scenarios, such as cloning some smart cards used for other purposes. The attack would work by copying the unique ID of the NFC tag, abbreviated as UID.
“During our testing, we successfully relayed the UID from a MIFARE Classic 1K tag, which is typically used for public transport tickets, ID badges, membership or student cards, and similar use cases,” the researchers wrote. “Using NFCGate, it’s possible to perform an NFC relay attack to read an NFC token in one location and, in real time, access premises in a different location by emulating its UID, as shown in Figure 7.”
Enlarge/ Figure 7. Android smartphone (right) that read and relayed an external NFC token’s UID to another device (left).
ESET
The cloning could all occur in situations where the attacker has physical access to a card or is able to briefly read a card in unattended purses, wallets, backpacks, or smartphone cases holding cards. To perform and emulate such attacks requires the attacker to have a rooted and customized Android device. Phones that were infected by NGate didn’t have this requirement.
In two weeks, iPhone users in the European Union will be able to use any mobile wallet they like to complete “tap and go” payments with the ease of using Apple Pay.
The change comes as part of a settlement with the European Commission (EC), which investigated Apple for potentially shutting out rivals by denying access to the “Near Field Communication” (NFC) technology on its devices that enables the “tap and go” feature. Apple did not develop this technology, which is free for developers, the EC said, and going forward, Apple agreed to not charge developers fees to provide the NFC functionality on its devices.
In a press release, the EC’s executive vice president, Margrethe Vestager, said that Apple’s commitments in the settlement address the commission’s “preliminary concerns that Apple may have illegally restricted competition for mobile wallets on iPhones.”
“From now on, Apple can no longer use its control over the iPhone ecosystem to keep other mobile wallets out of the market,” Vestager said. “Competing wallet developers, as well as consumers, will benefit from these changes, opening up innovation and choice, while keeping payments secure.”
Apple has until July 25 to follow through on three commitments that resolve the EC’s concerns that Apple may have “prevented developers from bringing new and competing mobile wallets to iPhone users.”
Arguably, providing outside developers access to NFC functionality on its devices is the biggest change. Rather than allowing developers to access this functionality through Apple’s hardware, Apple has borrowed a solution prevalent in the Android ecosystem, Vestager said, granting access through a software solution called “Host Card Emulation mode.”
This, Vestager said, provides “an equivalent solution in terms of security and user experience” and paves the way for other wallets to be more easily used on Apple devices.
An Apple spokesperson told CNBC that “Apple is providing developers in the European Economic Area with an option to enable NFC contactless payments and contactless transactions for car keys, closed loop transit, corporate badges, home keys, hotel keys, merchant loyalty/rewards, and event tickets from within their iOS apps using Host Card Emulation based APIs.”
To ensure that Apple Pay is on an equal playing field with other wallets, the EC said that Apple committed to improve contactless payments functionality for rival wallets. That means that “iPhone users will be able to double-click the side button of their iPhones to launch” their preferred wallet and “use Face ID, Touch ID and passcode to verify” their identities when using competing wallets.
Perhaps most critically for users attracted to Apple’s payment options convenience, Apple also agreed to allow rival wallets to be set as the default payment option.
These commitments will remain in force for 10 years, Vestager said.
Apple did not immediately respond to Ars’ request for comment. Apple’s spokesperson confirmed to CNBC that no changes would be made to Apple Pay or Apple Wallet as a result of the settlement.
Apple’s commitments go beyond the DMA
Before accepting Apple’s commitments, the EC spoke to “many banks, app developers, card issuers, and financial associations,” Vestager said, whose feedback helped improve Apple’s commitments.
According to Vestager, Apple’s changes go beyond the requirements of the EU’s strict antitrust law, the Digital Markets Act, which “requires gatekeepers to ensure effective interoperability with hardware and software features that they use within their ecosystems,” including “access to NFC technology for mobile payments.”
Beyond the DMA, Apple agreed to have its compliance with the settlement “ensured by a monitoring trustee,” as well as to provide “a fast dispute resolution mechanism, which will also allow for an independent review of Apple’s implementation.”
Vestager assured all stakeholders in the European Economic Area that these changes will prevent any potential harms caused by Apple seeming to shut other wallets out of its devices, which “may have had a negative impact on innovation.” By settling the yearslong probe, Apple avoided a potentially large fine. In March, the EC fined Apple nearly $2 billion for restricting “alternative and cheaper music subscription services” like Spotify in its app store, and the suspected anticompetitive behavior in Apple’s payments ecosystem seemed just as harmful, the EC found.
“This reduction in choice and innovation is harmful,” Vestager said, confirming that the settlement concluded the EC’s probe into Apple Pay. “It is harmful to consumers and it is illegal under EU competition rules.”
To comply with European Union regulations, Apple has introduced sweeping changes that make iOS and Apple’s other operating systems more open. The changes are far-reaching and touch many parts of the user experience on the iPhone. They’ll be coming as part of iOS 17.4 in March.
Apple will introduce “new APIs and tools that enable developers to offer their iOS apps for download from alternative app marketplaces,” as well as a new framework and set of APIs that allow third parties to set up and manage those stores—essentially new forms of apps that can download other apps without going through the App Store. That includes the ability to manage updates for other developers’ apps that are distributed through the marketplaces.
The company will also offer APIs and a new framework for third-party web browsers to use browser engines other than Safari’s WebKit. Until now, browsers like Chrome and Firefox were still built on top of Apple’s tech. They essentially were mobile Safari, but with bookmarks and other features tied to alternative desktop browsers.
The changes also extend to NFC technology and contactless payments. Previously, only Apple Pay could fully access those features on the iPhone. Now, Apple will introduce new APIs that will let developers of banking and wallet apps gain more comparable access.
Developers will have new options for using alternative payment service providers within apps and for directing users to complete payments on external websites via link-outs. They’ll be able to use their apps to tell users about promotions and deals that are offered outside of those apps. (Apple warns that it will not be able to provide refunds or support for customers who purchased something outside its own payment system.)
Apple says it will give users in the European Union the ability to pick default App Stores or default contactless payment apps, just like they already can for email clients or web browsers. EU users will be prompted to pick a default browser when they first open Safari in iOS 17.4 or later, too.
Developers can “submit additional requests for interoperability with iPhone and iOS hardware and software features” via a new form.
All of the above changes impact only the EU; Apple won’t bring them to the United States or other regions at this time. There is one notable change that extends beyond Europe, though: Apple says that “developers can now submit a single app with the capability to stream all of the games offered in their catalog.” That opens the door for services like Microsoft’s Xbox Game Pass or Nvidia’s GeForce Now.
Apple notes that “each experience made available in an app on the App Store will be required to adhere to all App Store Review Guidelines,” which could still pose some barriers for game streamers.
