NGate (banking Trojan)

2024: The scheme with theft of money with the help of NFC reached Russian users

Virus analysts Dr.Web at "" warned of new versions of bank trojan NGate the Russian targeting users. This Trojan transmits data from NFC the -chip of the compromised device, allowing the attacker to withdraw money from the victim's accounts without ATMs any participation from her. The company announced this on December 26, 2024.

𝓲

Фото: Dr.Web

The NGate banker first hit the vendors' radars anti-virus in the fall of 2023, when MEDIA messages attacks about customers of large the Czech banks began to appear in specialized ones. The strategy of the attackers was built on a combination of, and social engineering phishing use. These malware standard tactics were embodied in a rather innovative scenario: the result of interaction with the victim was remote access to the NFC capabilities of her means of payment. This campaign was suppressed by law enforcement agencies, but Czech Republic its idea was adapted for Russian realities and implemented for illegal enrichment at the expense of users in Russia.

The event that triggers the chain of compromise is presumably a call from scammers who report the possibility of receiving various social benefits or other financial benefits. To do this, the victim must follow the sent link to the fraudulent site, from where the malicious APK with the NGate Trojan, disguised as the application of the State Public services portal, the Bank of Russia, or one of the other popular banks, is downloaded.

The NGate banking Trojan is a malicious modification of the open source application NFCGate, which was designed to debug NFC data transfer protocols. NFCGate supports a number of functions, but for attackers, the greatest interest is the ability to capture NFC traffic of applications and transfer it to a remote device, which can act as either a server or an attacker's smartphone itself. The criminals modified the source code by adding interfaces to the identity of financial institutions, and turned on the NFC data relay mode. In addition, the application includes the nfc-card-reader library, which allows hackers to remotely obtain the card number and its validity period.

After launching the application, the victim, allegedly to verify himself as a client, is invited to attach a payment card to the back of the smartphone, enter his PIN-code and wait until the pseudo-application recognizes the card. At this time, data is read from a bank card and transferred to criminals. The Dr.Web drew attention to the fact that the attacked smartphone does not require root access to steal NFC data.

While the victim holds the card attached to his smartphone, the attacker will already be at the ATM and request cash. An alternative option is to implement this scheme for contactless payment of purchases. And at the moment when you need to attach a card, the fraudster will simply present his phone, which will transmit the digital fingerprint of the victim's bank card. He will be able to confirm the operation with an early PIN.

To avoid theft of money, Dr.Web analysts recommend following rules:

• do not give anyone the PIN or CVV codes of their bank cards,
• use antivirus software, it will block the download and installation of malware,
• carefully check the addresses of web pages where it is proposed to disclose any financial information,
• install applications only from official sources such as RuStore, AppGalery and Google Play,
• not to engage in conversations with scammers. If an unexpected call came from law enforcement officers, a bank, the State Public services portal, the Pension Fund or any other organization, then you should hang up. Then you can find a contact number on the official website of the department and call it yourself.