NFC Traffic Stealer Targets Android Users & Their Banking Info

The malware builds on a near-field communication tool in combination with phishing and social engineering to steal cash.

A dangerous new Android malware has surfaced that can clone contactless payment data from physical credit and debit cards and relay it to an attackers Android device, enabling fraudulent transactions.
Researchers from ESET, who are tracking the malware as NGate,
described it this week
as the first of its kind theyve observed in the wild.
NGate is actually
based on NFCgate,
a tool that students at Germanys University of Darmstadt developed to capture, analyze, and alter near-field communication (NFC) traffic. NFC is what allows devices — such as smartphones — to communicate wirelessly with each other over short distances. The university students have described NFCgate as a legitimate research tool for reverse-engineering protocols or for assessing protocol security in different traffic conditions.
Among other things, NFCgate can capture NFC traffic that applications running on an Android phone might send or receive; relay NFC traffic between two devices via a server; replay captured NFC traffic; and clone identification and other initial tag information. I believe its for research purposes to demonstrate it is possible to extend the distance of NFC contactless communication — that is only up to 5 to 10 centimeters — by using Android phones, says Lukas Stefanko, ESETs senior malware researcher.
ESET observed a threat actor leveraging NFCGates capability in combination with phishing and social engineering lures to try and steal cash from victim bank accounts via fraudulent ATM transactions.
The scam involved the threat actor — likely a 22-year-old recently arrested by Czech authorities — sending SMS messages to potential victims in Czechia about a tax-related issue. People who clicked on the link ended up with a progressive Web app (PWA) or a
Web APK
(Android Package) that phished for their banking credentials and sent it to the attacker. Attackers have long
used similar apps
to get users to divulge their banking information.
The threat actor would then call the potential victim pretending to be a bank employee notifying them about a security incident related to their account and requesting them to change their PIN and verify their card.
Victims who fell for the social engineering trick receive a link to download NGate, which then executes a series of steps to enable fraudulent ATM withdrawals.
After being installed and opened, NGate displays a fake website that asks for the users banking information, which is then sent to the attacker’s server, ESET said. The malware prompts victims to enter their banking client ID, birth date, the PIN for their bank card, and other sensitive information. It also asks victims to enable the NFC feature on their smartphone and to place their payment card at the back of their smartphone until the malicious app recognizes the card, ESET said.
At this point, NGate captures NFC data from the victims card and sends it through a server to the attackers Android device. The attackers Android phone would need to be rooted, or compromised at the kernel level, for it to be able to use the relayed data. The NFC data allows the attacker to essentially clone the victims card on their smartphone and use it to make payments and withdraw money from ATMs that support the NFC feature.
If this method failed, the attackers fallback was to use the bank account data the victim had already provided to transfer funds from the victims account to other banks, ESET said.
Stefanko says the attacker would have been able to steal funds from a victim account without NGate, using just the banking credentials they might have managed to obtain from a victim. But it would have been a bit more complicated, since they would need to first transfer money to their account and use a mule to withdraw the money from an ATM. Since NGate enables fraudulent ATM withdrawals, an attacker would have been able to steal from a victims account without leaving a trail back to their own accounts.
Attackers can use malware like NGate to capture and relay data from any NFC tag or token by either gaining physical access to them or by tricking users to place the tag on the back of a compromised Android phone. During our testing, we successfully relayed the UID from a MIFARE Classic 1K tag, which is typically used for public transport tickets, ID badges, membership or student cards, and similar use cases, the security vendor said, adding that it is also possible to execute relay attacks when an attacker could ready an NFC token at one location and emulate its data to access premises in a different location.
The attack is being propagated by direct text messages rather than malicious apps in Googles official app store, a spokesperson stressed.
Based on our current detections, no apps containing this malware are found on Google Play, the Google spokesperson said in an emailed comment to Dark Reading. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
NFC Traffic Stealer Targets Android Users & Their Banking Info