Malicious Android app attacks RFID payment card

Trend Micro recently detected androidos_stip. A high-risk Android app. This app is distributed through forums and blogs and can be used to attack users ' RFID (Radio Frequency identification--inductive electronic chips) to store the value of a bus card. What is the mechanism behind this? What are the general security risks of RFID payment cards?

now payment via RFID cards has become increasingly popular, and more mobile devices are joining NFC (near Field communication, proximity wireless) support. Banks, businesses, or public services will issue RFID cards to their customers and can store values.

RFID security issues with cards

since it is widely used, it is no surprise that the RFID card becomes the target of the attack. For example, Chile's Tarjeta bip! card was attacked recently. These cards are based on Mifare smart cards, mifare refers to a chip family that is widely used in contactless smart cards and inductive cards.

(MIFARE equipment)

Review The program code for Android apps, and Trend Micro has found that if it executes on a device with NFC, it can read and write these cards. The malicious application writes pre-defined data to the card, raising the user's balance to 10,000 Chilean Bissau (about $15). This practice is only useful for this particular card, because it relies on the format of the problematic card.

How does the tool author rewrite the card data without having to verify the key correctly? This is because these cards are based on the older version of the MIFARE series (MIFARE Classic), which is known to have many security issues. Attackers can copy or modify MIFARE Classic cards within 10 seconds, while using devices such as PROXMARK3 and any required support can be purchased on the web.

(Proxmark3 for sale)

using a widely used tool, an attacker can decipher the card's authentication key. With cracked keys and native NFC-enabled Android and devices, you can easily copy cards and add value with a mobile app.

(a mifare Classic card manufacturer and memory content)

other types of Mifare cards (specifically mifare DESFire and Mifare Ultralight) already exist on the attack. We know that there are at least three problematic cards: a Social Security card with a banking function, a payment card for transportation, shopping, and a restaurant card with a social security card of about 7 million users.

(Social Security card based on Mifare DESFire )

The Restaurant card uses the Mifare Classic card, and our test shows that the balance of the adapter slice can be changed. The other two are mifare DESFire cards that may be subject to cross-channel (Side-channel) attacks. The encryption system of these cards will leak information under the supervision of advanced users, and the key will be acquired within 7 hours. If the supplied key is not random, the customer card may be copied or altered, just like the Mifare Classic card. Or worse, the balance will also be changed by NFC-enabled mobile devices.

Conclusion

these specific mifare models have been discontinued for many years and have been changed to a more secure model. However, these issuers seem to have opted for cheap solutions and put their customers in danger.

Trend Micro customers are advised to take steps to protect the RFID cards they own , such as checking the account balance regularly. In addition, if possible, you should check whether the card currently in use has loopholes and return it to their suppliers.

Malicious Android app attacks RFID payment card