Hackers are cloning NFC payment cards from Android phones

Reports indicate a new wave of phishing attacks targeting Android users through progressive web apps (PWA), aiming to steal login credentials for fraudulent bank activities. Recent updates reveal that some of these phishing attacks are also utilizing malware to extract NFC information, enabling criminals to clone phones and conduct theft through contactless payments and ATMs.

The modus operandi of these attacks involves sending out mass texts and emails to entice users into installing a deceptive web-based app that mimics a bank login page. Once the login details are captured, the attackers use the information for unauthorized transactions. In certain instances documented in March, hackers exploited the NGate NFC vulnerability to coax users into installing malicious apps.

This tactic allowed them to replicate the NFC payment system found in modern smartphones and credit/debit cards. By transferring these credentials to another device, criminals could exploit tap-to-pay features at retail stores and ATMs. One suspect was apprehended in Prague for allegedly using stolen NFC credentials to withdraw cash from ATMs, carrying a significant amount of money.

The complexity of the attack involves malware guiding victims through multiple steps to acquire NFC data, including scanning their own debit card with their phone. Subsequently, the malware copies the NFC authentication of the card and transmits the information to the perpetrator.

While spoofing NFC information requires technical expertise, the victim’s phone does not need to be rooted or altered, just infected with a malicious app. Although ESET has observed a decline in attacks targeting NFC data post the March arrest, these techniques are swiftly adopted by cybercriminals. The NFC tools in question were initially developed by students in Germany in 2017 and repurposed for illicit activities recently.

To safeguard against such attacks, exercise caution with financial messages from unknown senders, avoid clicking direct links in emails or texts, and verify any banking or tax-related issues on the official website using a separate browser. Refrain from installing apps or PWAs from untrustworthy sources to mitigate the risk of falling victim to cyber scams.