Researcher Showcases Unauthorized NFC Payments With Cloned Android Device

While mobile payments may seem to be all the hype, it is evident there is still a lot of work to be done in the security department. Slawomir Jasek, a renowned security researcher, successfully completed an NFC payment with a cloned smartphone. This type of attack allows assailants to steal money from other Android devices by using root malware.

Cloning An Android Phone?

While this concept sounds ridiculous to most people, they should not underestimate the power of root malware on Android devices. By using this type of malicious software, it is possible to abuse the host card emulation protocol. Google introduced this feature in Android 4,4, as it allows for NFC payments by keeping the Android device next to a payment terminal. Unfortunately, it appears this protocol can also be used to make fraudulent purchases.

To be more specific, cloning an Android smartphone makes a lot more sense to criminals than trying to steal a physical device. Intercepting payment requests is also virtually impossible, which makes them somewhat safe. However, that does not mean there are no vulnerabilities waiting to be exploited. That being said, the concept of cloning the entire content of a smartphone is not that easy to pull off by any means.

By using the Xposed framework, it is possible to spoof specific device information. This is necessary, as copying the files and data from one device to a different model will eventually cause some errors. However, the Xposed framework spoofs the necessary data to make it appear as if the copied data is residing on the same device as before.

Initiating the cloning process requires the use of root malware. This malicious software is designed to provide assailants with root privileges on the Android device. This does mean criminals need to ensure they can trick the user into installing the malware in the first place. Once this process has been completed and the cloning of data has been completed, the assailant can launch bank applications as if they were being run by the original device owner. Most banking apps detect rooted access, yet there are ways to circumvent these problems as well.

Since most mobile payment apps have a payment card linked already, it was rather easy for the researcher to conduct NFC payments at in-store locations. Although the payment limit for an NFC payment is set at around 25 euro, it is still possible to spend a lot of money in quick succession. Protecting the bank apps with a PIN code will prevent most of the cloned device’s purchases, assuming the user never entered this code once the malware was installed. Detecting that installation process is incredibly difficult, though.

Thankfully, this exploit has been discovered by a security researcher who notified both Google and all of the applications he successfully “abused” about this vulnerability. We can only hope this security flaw is addressed quickly before major financial damage is done. Rest assured more sophisticated criminals are already aware of this vulnerability, although it remains unclear if any fraudulent purchases have been made with a cloned Android device so far.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.