Recent research from cybersecurity company ESET reveals details about a new attack campaign targeting Android smartphone users.
This cyber attack is based on the use of a complex social engineering scheme and a new Android malware, which is capable of withdrawing cash from NFC-enabled ATMs by stealing users’ near field communication data.
Continuous technical improvements by the threat actor
Contents
As ESET reported, the threat actor initially exploited the Progressive Web App technology, which enables the installation of apps from any website outside of the Play Store. This technique can be used on desktops with Chromium-based browsers or supported browsers such as Firefox, Chrome, Edge, Opera, Safari, Orion, and Samsung Internet Browser.
PWAs that are accessed directly through the browser are flexible and generally do not suffer from compatibility issues. Once installed on a system, PWAs can be identified by their icon, which displays an additional small browser icon.
Cybercriminals use PWAs to redirect unsuspecting users to full-screen phishing websites and collect their credentials or credit card information.
The threat actor involved in this campaign switched from PWAs to WebAPKs, a more advanced type of PWA. The difference is subtle: PWAs are apps built using web technologies, while WebAPKs use a technique to integrate PWAs as native Android applications.
From an attacker’s perspective, using WebAPKs is more stealthy, as their icons no longer display the small browser icon.
The victim downloads and installs a standalone app from a phishing website. The person does not ask for any additional permissions to install the app from a third-party website.
These fraudulent websites often mimic parts of the Google Play Store to create confusion and trick the user into believing that the installation actually comes from the Play Store, when in reality it comes directly from the fraudulent website.
NuGate Malware
On March 6, the same distribution domain used for the observed PWA and WebAPK phishing campaigns suddenly began spreading a new malware called NGate. Once installed and executed on a victim’s phone, it opens a fake website that asks for the user’s banking information, which is then sent to the threat actor.
However, the malware also embedded a tool called NFCGate, a legitimate tool that allows relaying NFC data between two devices without needing to root the device.
Once the user provides the banking information, the person receives a request from his smartphone to activate the NFC feature and hold his credit card against the back of the smartphone until the app successfully recognizes the card.
While it might initially seem suspicious for an app to activate NFC and recognise a payment card, the social engineering techniques employed by threat actors make this scenario obvious.
The cybercriminal sends an SMS message to the user, which mentions tax returns and includes a link to a phishing website that impersonates banking companies and leads to a malicious PWA. Once installed and executed, the app asks the user for banking credentials.
At this point, the threat actor calls the user impersonating the banking company. The victim is informed that their account has been compromised, possibly due to a previous SMS. The user is then asked to change their PIN and verify banking card details using a mobile application to protect their banking account.
The user then receives a new SMS with a link to the NGate malware application.
Once installed, the app requests to activate the NFC feature and recognize the credit card by pressing it against the back of the smartphone. The data is sent to the attacker in real time.
Making money from stolen information
The information stolen by the attacker allows for common fraud: withdrawing money from a banking account or using credit card information to purchase goods online.
However, the NFC data stolen by the cyber attacker allows them to mimic the original credit card and withdraw money from ATMs that use NFC, representing a previously unreported attack.
Scope of attack
ESET’s research showed that the attacks took place in the Czech Republic, as only banking companies in that country were targeted.
A 22-year-old suspect was arrested in Prague and found with approximately €6,000 ($6,500 USD). According to Czech police, the money was the result of thefts from three previous victims, suggesting the threat maker stole far more than that during this attack campaign.
However, as the ESET researchers wrote, “the possibility of its expansion to other regions or countries cannot be ruled out.”
More cybercriminals will use similar techniques to steal money via NFC in the near future, especially as NFC is becoming increasingly popular among developers.
How to avoid this danger
To avoid falling victim to this cyber campaign, users should:
- Verify the source of applications they download and carefully check URLs to ensure their legitimacy.
- Avoid downloading software from outside official sources, such as the Google Play Store.
- Avoid sharing your payment card’s PIN code. No banking company will ever ask for this information.
- Use a digital version of traditional physical cards, as these virtual cards are stored securely on the device and can be protected by additional security measures such as biometric authentication.
- Install security software on the mobile device to detect malware and unwanted applications on the phone.
Users should also disable NFC on smartphones when not in use, which protects them from additional data theft. Attackers can read card data through unattended purses, wallets, and backpacks in public places. They can use the data for small contactless payments. Protective cases can also be used to create an efficient barrier to unwanted scans.
If you have any doubts when an employee of a banking company calls, disconnect the call and contact the normal banking company, preferably from another phone.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.
#Criminals #steal #field #communication #data #malware