NFCGate

NFCGate is a legitimate open-source Android NFC research tool created in 2015 by students at the Technical University of Darmstadt for analyzing and debugging NFC traffic. It has since been widely abused by cybercriminals as the basis for Android banking malware and fraud tooling that relays or emulates payment-card NFC data to steal funds.

The documented malicious use centers on NFC-enabled banking fraud. Attackers distribute modified NFCGate builds, often via phishing websites, WhatsApp, Telegram, or apps masquerading as legitimate banking, e-government, security, or contactless-payment software. Victims are socially engineered to install the app, grant NFC and network access, and in some cases accessibility permissions. In the common attack flow, victims are instructed to tap their bank card against the infected phone and enter their PIN during a fake authorization process. The malware captures card data via NFC and sends it to attacker-controlled infrastructure, allowing criminals to emulate the victim’s card on another device and perform contactless purchases or withdraw cash from ATMs without the physical card. A newer “reverse NFCGate” scheme tricks the victim into setting the malicious app as the default contactless payment app so the phone emulates an attacker-controlled card at an ATM; the victim is then told to tap the phone on the ATM reader and use a supplied PIN.

The content links NFCGate abuse to banking fraud campaigns in the Czech Republic, Russia, and Italy, with attempted deployments also reported in Brazil. ESET described a Czech campaign in August 2024 using phishing sites to spread malicious NFCGate mods. Russian authorities said criminals distributed NFC malware disguised as bank software via WhatsApp and Telegram, and that victims across nearly all of Russia were affected. Russian police reported dismantling a criminal enterprise using NFCGate-based malware, with preliminary losses exceeding 200 million rubles, while Russian security company F6 estimated that various NFCGate-based strains had stolen at least 1.6 billion rubles from Russian customers by the end of 2025.

The content also notes that modified NFCGate has been bundled with other Android malware, including SpyNote as a dropper/NFC activator and CraxsRAT in later bundles. Related campaigns and variants mentioned include SuperCard and RatOn. By early 2025, analysts had reportedly identified more than 80 unique malware samples built on the NFCGate framework. High-confidence indicators and behaviors directly described include Android apps disguised as bank or payment software, requests for NFC/internet and sometimes accessibility permissions, instructions to tap a payment card to the phone, collection of card PINs, relay of NFC data to attacker-controlled servers, and use of harvested credentials for ATM withdrawals or contactless fraud.