NFCGate (malicious application)

Chronicle

2025

Creation of clones of bank cards of Russians

On April 24, 2025, cybersecurity experts from F6 reported that attackers had adopted a new scheme for contactless theft of money from customers of Russian banks. Criminals forge bank cards and gain access to victims' funds without using a PIN.

The attack scheme is based on the use of modified versions of the NFCGate program. It is a legitimate application for capturing, monitoring and analyzing NFC traffic, developed as an educational project by students of the Darmstadt Technical University. NFCGate has open source code, which is used by attackers by introducing malicious functions.

𝓲

Фото: Freepik

In particular, in October 2024, multiple cases of the use of a modified NFCGate against customers of leading Russian banks were recorded. Attacks were carried out using APK files created on the basis of NFCGate, emulating the work of legal applications of banks or government agencies. The principle of the attack is to intercept the transmitted NFC traffic between the victim's bank card and the terminal. The victim's NFC card data is transmitted in real time to the attacker's device, allowing him to withdraw money from the user's account through an ATM.

In addition, the so-called reverse scheme is used. In this case, the application uses the ability to relay NFC traffic to transmit data of a third-party bank card to the user's device. When the victim comes to the ATM to credit the money to his account, then by attaching the smartphone to the terminal's NFC module, instead of her card, she is authorized with the attacker's card, to which the entire amount will go.

Fraudsters, under various pretexts, direct the victim to an ATM in order to credit the money allegedly to himself, but in fact to criminals. The bank's client is not trying to display sensitive information: for example, they are not asked to name the code from SMS. On the contrary, the user is informed about the "new" PIN-code allegedly from his own card, - say F6 experts.[1]

Hackers stole ₽40 million from Russians using NDCGate

F.A.C.C.T. recorded the theft of ₽40 million from customers of Russian banks over the past two months through a malicious application for intercepting NFC data of bank cards. This became known on January 22, 2025.

According to TASS, the scheme is being implemented through the NDCGate mobile application, first used against Russians in August 2024. The program allows you to capture and analyze NFC traffic between two smartphones.

Attackers distribute malware under the guise of the applications "Protection of Cards of the Central Bank of the Russian Federation," "CBRezerv +," "Public services Verification" and "Security Certificate." More than 100 unique samples of this software have been found on the network.

After installation, the program invites the user to undergo verification by attaching a bank card to the NFC module of the smartphone. At the same time, the card data and PIN code, if entered, are transferred to criminals. Experts note the possibility of adding functionality for intercepting SMS and push notifications.

Theft may not happen immediately: the functionality of NFCGate allows a criminal to write down the victim's bank card data and play it back later, experts at the F.A.C.C.T.

In December 2024 - January 2025, about 400 attacks using this malware were registered. On average, ₽100 thousand were stolen from each victim.

Analysts of the company predict a monthly increase in such cyber attacks on users of Android devices by 25-30%. Attackers can install the application remotely using remote access Trojans.

In case the victim does not block the card after the first incident, criminals can repeatedly write off funds. The data can be used to tokenize the card and make purchases in stores.^[2]

Notes