NFCGate (malicious application)

Chronicle

2025

In Russia, the developer of the NDCGate program was detained, through which hundreds of millions of rubles were stolen from Russians

Employees of the Cybercrime Department MINISTRY OF INTERNAL AFFAIRS Russia , together with cyber police officers from both Moscow Rostovskaya Samara regions, detained members of an interregional criminal group. Among the detainees is the developer and chief administrator of the control panel of the NDCGate program, with the help of which remote theft of money from citizens' bank cards was committed. This was reported by the official representative MINISTRY OF INTERNAL AFFAIRS of Russia Irina Volk in her Telegram channel on December 5, 2025.

Criminals are suspected of committing more than 600 episodes of criminal activity in 78 regions of Russia. According to preliminary data, the amount of damage exceeds ₽200 million. The investigator of the specialized department for the investigation of remote theft of the Investigative Department of the Internal Affairs Directorate for the North-Eastern Administrative District of the Main Directorate of the Ministry of Internal Affairs of Russia in Moscow opened a criminal case on the grounds of a crime under Part 4 of Article 159 of the Criminal Code of Russia.

𝓲

Фото: Irina Volk telegram channel

The attackers used a computer virus that spread messengers WhatsApp through Telegram under the guise of applications from government organizations or banks. This allowed, without the participation of legal owners, to cash out their funds at ATMs. It was previously established that the attack of scammers began according to the traditional scenario with a phone call.

As TAdviser explained in Kaspersky Lab, attackers using codes from a free NFC utility (NFCGate^[1]) could steal users' money using the "direct NFC" scheme. As part of it, the attackers contacted a potential victim in the messenger and urged to download the program under various plausible pretexts, for example, allegedly for verification in a financial service.

The victim was persuaded to install a special file disguised as an official banking application on his device. However, in fact, it was a malicious application that asked the victim to attach her bank card to the back of the smartphone, as well as enter a PIN code. Then the malware passed the card data to the attackers. As a result of the activation of the program, accomplices were able to withdraw money from ATMs in any region of Russia.^[2]

We are recording a significant decrease in the number of attacks using "direct NFC," - Dmitry Kalinin, cybersecurity expert at Kaspersky Lab, told TAdviser. - However, it is important for users to remember that attacks using malicious utilities to work with NFC are characterized by another scheme - "reverse NFC." In these cases, attackers also send malware in the messenger to potential victims.

As stated in the blog^[3] company^[4], F6 an attack on bank card users using reverse NFCGate is carried out in two stages. At first, criminals act according to a scenario standard for an NFCGate scheme. Using social engineering techniques, a potential victim is trying to convince of the need to install a malicious APK file on a device under the guise of a useful program. Attackers explain that this is required, for example, to "protect" a bank account or obtain more favorable terms of service in the form of a deposit with an increased interest rate.

If the victim sets up the Trojan as the main method of contactless payment, then a signal will be sent from the NFC chip on the infected phone, which is recognized by ATMs as an attacker's card. Fraudsters will try to convince the user to attach their infected phone to the ATM and deposit funds allegedly into a secure account, but the money will go to the attackers' account.

In both cases, attacks using NFCGate, experts recommend that users not follow links or download files from dubious correspondence in instant messengers. Also, do not store your card next to an NFC-enabled smartphone. To protect against "reverse NFC" you can use passive NFC tags of banks, and turn off support for NFC technology in smartphones.

NSPK launched a system to protect against theft of money through malware

On June 18, 2025, the National Payment Card System (NSPK) announced a system for detecting fraudulent transactions from devices infected with malware. The technology has already been tested in conjunction with VTB. Read more here.

Creation of clones of bank cards of Russians

On April 24, 2025, cybersecurity experts from F6 reported that attackers had adopted a new scheme for contactless theft of money from customers of Russian banks. Criminals forge bank cards and gain access to victims' funds without using a PIN.

The attack scheme is based on the use of modified versions of the NFCGate program. It is a legitimate application for capturing, monitoring and analyzing NFC traffic, developed as an educational project by students of the Darmstadt Technical University. NFCGate has open source code, which is used by attackers by introducing malicious functions.

𝓲

Фото: Freepik

In particular, in October 2024, multiple cases of the use of a modified NFCGate against customers of leading Russian banks were recorded. Attacks were carried out using APK files created on the basis of NFCGate, emulating the work of legal applications of banks or government agencies. The principle of the attack is to intercept the transmitted NFC traffic between the victim's bank card and the terminal. The victim's NFC card data is transmitted in real time to the attacker's device, allowing him to withdraw money from the user's account through an ATM.

In addition, the so-called reverse scheme is used. In this case, the application uses the ability to relay NFC traffic to transmit data of a third-party bank card to the user's device. When the victim comes to the ATM to credit the money to his account, then by attaching the smartphone to the terminal's NFC module, instead of her card, she is authorized with the attacker's card, to which the entire amount will go.

Fraudsters, under various pretexts, direct the victim to an ATM in order to credit the money allegedly to himself, but in fact to criminals. The bank's client is not trying to display sensitive information: for example, they are not asked to name the code from SMS. On the contrary, the user is informed about the "new" PIN-code allegedly from his own card, - say F6 experts.[5]

Hackers stole ₽40 million from Russians using NDCGate

F.A.C.C.T. recorded the theft of ₽40 million from customers of Russian banks over the past two months through a malicious application for intercepting NFC data of bank cards. This became known on January 22, 2025.

According to TASS, the scheme is being implemented through the NDCGate mobile application, first used against Russians in August 2024. The program allows you to capture and analyze NFC traffic between two smartphones.

Attackers distribute malware under the guise of the applications "Protection of Cards of the Central Bank of the Russian Federation," "CBRezerv +," "Public services Verification" and "Security Certificate." More than 100 unique samples of this software have been found on the network.

After installation, the program invites the user to undergo verification by attaching a bank card to the NFC module of the smartphone. At the same time, the card data and PIN code, if entered, are transferred to criminals. Experts note the possibility of adding functionality for intercepting SMS and push notifications.

Theft may not happen immediately: the functionality of NFCGate allows a criminal to write down the victim's bank card data and play it back later, experts at the F.A.C.C.T.

In December 2024 - January 2025, about 400 attacks using this malware were registered. On average, ₽100 thousand were stolen from each victim.

Analysts of the company predict a monthly increase in such cyber attacks on users of Android devices by 25-30%. Attackers can install the application remotely using remote access Trojans.

In case the victim does not block the card after the first incident, criminals can repeatedly write off funds. The data can be used to tokenize the card and make purchases in stores.^[2]

Notes