The malware was discovered by cybersecurity firm ESET, which was named NGate because the attackers used the NFCGate toolkit to analyze NFC traffic. Czech police busted a gang using a similar scheme after arresting one of the members while withdrawing cash from an ATM in Prague. Here's how the scam worked: The victim received an SMS urging them to install an app because there was a problem with their tax return. This SMS contained a link to a fake website that collected the victim's login information.
This gives the attacker access to the target’s bank account.
The victim then receives a call from the attacker, who pretends to be a bank employee. The bank customer is told that they will be sent an SMS with a link to an app that will be used to protect their account by allowing them to change their PIN number and verify their card. The victim is asked to enable NFC on their phone and scan the card. The mobile app is actually the NGate malware.
The malware can relay NFC data from the victim's card through an infected smartphone to the attacker's smartphone, which can then emulate the card. This gives the criminal the information in real time and allows him to withdraw money from an ATM. This is really scary.
This is how the NGate malware attack works. | Image credit: ESET
“Based on our current findings, no apps containing this malware have been found on Google Play. Android users are automatically protected from known versions of this malware through Google Play Protect, which is enabled by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps that are known to exhibit malicious behavior, even if those apps come from sources outside of Play.” – Google
Google said that no such malware was found in the apps listed on the Play Store. Google pointed out that its Play Protect feature warns users and blocks apps with malicious behavior, even if those apps come from third-party sources. Between November and March, six NGate-laden apps from non-Play Store sources were discovered attacking three Czech banks.
How can you make sure you don't become a victim? Never send personal information, including PIN numbers, online. Even if the SMS or email you receive seems genuine, do not give out personal information. Always assume you are being scammed. Confirm requests for information by calling the requesting company. Get the phone number from Google, and do not call the number provided in the SMS.