NFCGate (malicious application)

Chronicle

2025: Hackers stole ₽40 million from Russians using NFCGate

F.A.C.C.T. recorded the theft of ₽40 million from customers of Russian banks over the past two months through a malicious application for intercepting NFC data of bank cards. This became known on January 22, 2025.

According to TASS, the scheme is being implemented through the NDCGate mobile application, first used against Russians in August 2024. The program allows you to capture and analyze NFC traffic between two smartphones.

Attackers distribute malware under the guise of the applications "Protection of Cards of the Central Bank of the Russian Federation," "CBRezerv +," "Public services Verification" and "Security Certificate." More than 100 unique samples of this software have been found on the network.

After installation, the program invites the user to undergo verification by attaching a bank card to the NFC module of the smartphone. At the same time, the card data and PIN code, if entered, are transferred to criminals. Experts note the possibility of adding functionality for intercepting SMS and push notifications.

Theft may not happen immediately: the functionality of NFCGate allows a criminal to write down the victim's bank card data and play it back later, experts at the F.A.C.C.T.

In December 2024 - January 2025, about 400 attacks using this malware were registered. On average, ₽100 thousand were stolen from each victim.

Analysts of the company predict a monthly increase in such cyber attacks on users of Android devices by 25-30%. Attackers can install the application remotely using remote access Trojans.

In case the victim does not block the card after the first incident, criminals can repeatedly write off funds. The data can be used to tokenize the card and make purchases in stores.^[1]

Notes