NGate (Trojans) – Malware

Overview

NGate is a sophisticated Android malware family that has been used in a novel crimeware campaign, first uncovered by ESET researchers in 2024. Unlike many other Android-based malware threats, NGate has a unique capability: it can relay Near Field Communication (NFC) data from a victim’s payment card through their compromised smartphone to an attacker’s device. This allows the attacker to mimic the victim’s card and make unauthorized withdrawals from ATMs, exploiting the NFC technology found in modern payment cards. This malware represents an advanced threat, utilizing a combination of phishing, social engineering, and cutting-edge Android malware techniques to compromise financial security.

Targets

Individuals Finance and Insurance

How they operate

Initial Infection and Distribution

NGate primarily spreads through phishing attacks. The threat actors behind this malware craft convincing SMS messages, often disguised as legitimate communication from financial institutions or service providers. These messages prompt users to download and install a malicious application, often camouflaged as a legitimate financial or utility app. Upon installation, the malware gains a foothold on the victim’s device, setting the stage for further malicious activity. Once installed, NGate uses several advanced techniques to ensure that it maintains persistence on the device. It exploits Android’s system permissions to avoid detection and to execute various tasks without alerting the user. The malware might also utilize the system’s boot mechanisms to ensure it restarts automatically upon reboot, giving it resilience even if the user attempts to remove it.

Exploitation and Privilege Escalation

One of the critical features of NGate is its ability to exploit Android vulnerabilities for privilege escalation. After installation, NGate can attempt to elevate its permissions, often by exploiting flaws within the operating system or through outdated app vulnerabilities. If successful, this grants NGate deeper access to the device, allowing it to operate more stealthily and perform a broader range of malicious activities, such as intercepting communications or manipulating device settings. The malware uses a command-line interface for executing a range of actions on the infected device. Through this interface, NGate can execute scripts or commands to carry out specific tasks, such as turning on certain sensors or enabling NFC capabilities without user consent. This level of control is crucial for the malware’s ability to collect and exploit financial data.

Data Collection: Intercepting NFC Payment Information

One of NGate’s most dangerous features is its ability to exploit NFC technology. NFC (Near Field Communication) allows users to make contactless payments by tapping their NFC-enabled devices, such as smartphones, to payment terminals or by using NFC-enabled cards. NGate malware takes advantage of this functionality by intercepting and capturing the data from the NFC communication when the victim’s device is in proximity to a payment card. The malware collects the unique information stored on the victim’s payment card, such as the card number, expiration date, and security code. This data is often enough to perform fraudulent transactions or to create a digital clone of the card for online or physical purchases. NGate’s exploitation of NFC is a particularly sophisticated method of stealing financial information, as it doesn’t rely on traditional techniques like keylogging or screen scraping.

Exfiltration and Command and Control

Once NGate has successfully gathered sensitive data, it begins exfiltrating the stolen information to a remote command and control (C&C) server. This exfiltration typically occurs over an encrypted communication channel, ensuring that the data is transferred securely to the attacker. The malware uses various methods, including HTTP and HTTPS, to transmit the collected information, which is then used for further malicious activities. In some cases, attackers may use the exfiltrated data to emulate the stolen card, allowing them to withdraw money from ATMs or make online purchases. The communication between the malware and the C&C server is designed to be stealthy, preventing detection by network monitoring tools. This enables the attackers to continue their operations without raising suspicion.

Impact: Financial Fraud and Data Manipulation

The ultimate impact of NGate is financial fraud. By obtaining and emulating NFC payment data, attackers can execute unauthorized financial transactions, leading to substantial monetary losses for the victim. The malware can also manipulate victim data to facilitate these fraudulent activities. For example, attackers may use the stolen NFC card information to generate a digital version of the card, which can be used for online purchases or ATM withdrawals. Additionally, because NGate targets devices that are actively being used for NFC transactions, it’s a major threat to users who regularly use contactless payment methods. The ability to steal data in real-time, without requiring the victim to provide any additional personal information, makes NGate particularly dangerous.

MITRE Tactics and Techniques

Initial Access (TA0001)

Phishing (T1566): NGate malware is initially spread through phishing attacks, where attackers send malicious SMS messages that trick users into downloading the infected application. This is one of the key methods used to gain initial access to the victim’s device.

Execution (TA0002)

Command and Scripting Interpreter (T1059): Once the malicious app is installed on the victim’s device, it may use scripting or command-line interpreters to execute various functions, such as gathering sensitive data or activating NFC communication features. Exploitation for Privilege Escalation (T1068): Though not always required, the malware could attempt to exploit vulnerabilities in the Android operating system or applications to gain higher privileges, enabling it to perform additional malicious activities.

Persistence (TA0003)

Boot or Logon Autostart Execution (T1547): The malware may persist by setting itself to start automatically when the device is rebooted, ensuring it remains on the victim’s device for prolonged periods.

Collection (TA0009)

Input Capture (T1056): NGate malware collects sensitive information from the victim, such as banking credentials or NFC payment card data. It intercepts user inputs through malicious app interfaces to acquire this data. Exploitation of Data from Device (T1093): The malware collects data from NFC-enabled payment cards when the victim holds their card near the compromised device, allowing the attackers to access financial information stored on the card.

Exfiltration (TA0010)

Exfiltration Over Command and Control Channel (T1041): After collecting sensitive NFC data from the victim’s card, NGate transmits the stolen information to the attacker’s command and control server for further use, such as emulating the card for ATM withdrawals.

Impact (TA0040)

Data Manipulation (T1565): In some cases, the attackers use the collected NFC data to perform unauthorized financial transactions, manipulating the victim’s data for financial gain. This tactic also includes transferring funds or withdrawing money at ATMs using cloned cards.  

References:

• NGate Android malware relays NFC traffic to steal cash