Advanced Search

Attacks on NFC Payments.

Fixxx

Fixxx

Moderator
Judge
Elite
Ultimate
Legend
Joined
31.10.19
Messages
1,585
Reaction score
5,279
Points
113
1774144260233.png

NFC relay is a technique where data transmitted wirelessly between a source (such as a bank card) and a receiver (such as a payment terminal) is intercepted by an intermediate device and transmitted in real-time to another device. The relay application is installed on two smartphones connected via the Internet.

The card is tapped on the first smartphone and the second smartphone is held up to the reader in the terminal or ATM - from their perspective, it appears as if the real card is present, even though it could be in another city or even country.

Initially, this technology wasn't created for criminal purposes. The NFCGate application appeared in 2015 as a research tool developed by students at the Technical University of Darmstadt in Germany. It was intended for analyzing and debugging NFC traffic, as well as for educational purposes and experiments with contactless technologies. NFCGate was distributed as an open-source solution and was used in academic circles and among enthusiasts. Five years later, cybercriminals took notice of the concept of NFC relay. NFCGate began to be modified, adding features like working through a server controlled by the attacker, disguising itself as useful programs and social engineering scenarios. Thus, the research project turned into the foundation for a whole class of attacks aimed at stealing money from bank accounts without physical access to the card.


History of Misuse


The first attacks using modified NFCGate were documented at the end of 2023 in the Czech Republic and the scheme reached Russia in August 2024. By the beginning of 2025, the problem had reached significant proportions: analysts discovered more than 80 unique malicious samples based on NFCGate. Attacks quickly evolved and NFC relay was integrated with other malicious components. In February 2025, combinations of the malicious software CraxsRAT and NFCGate appeared, allowing the relay to be set up with minimal involvement from the victim. In the spring of 2025, a new scheme emerged - the so-called "reverse" version of NFCGate, where the method of conducting the attack itself changed.

Particular attention is deserved by the Trojan RatOn, discovered in the Czech Republic. It combines remote control of the smartphone with NFC relay, allowing attacks on mobile banking and the victim's cards using various combinations of methods. Screen capture and data replacement in the clipboard, sending SMS, stealing information from cryptowallets and banking applications give attackers wide-ranging opportunities. Some samples of the code indicate support for Russian applications by this malware.

Cybercriminals also packaged NFC relay into a malicious platform (Malware-as-a-Service, MaaS) for resale to"colleagues on a subscription basis. In Italy, the development of SuperCard X, presumably of Chinese origin, was discovered. In May 2025, attempts to use SuperCard X were recorded in Russia and in August in Brazil. According to research, the total damage from attacks based on NFCGate in Russia for the first quarter of 2025 exceeded 400 million rubles. For the third quarter of 2025, more than 44,000 NFC relay attacks were detected in Russia alone, which is one and a half times more than in the previous quarter.

Direct Attack with NFCGate


The direct attack is the first scenario of criminal use of NFCGate. In this scenario, the victim's smartphone acts as the reader and the attacker's smartphone acts as the card emulator. First, scammers convince the user to install a malicious application disguised as a banking service, update, account protection program or a popular application like TikTok. After installation, the application gains access to NFC and the Internet, often without requesting dangerous permissions or root access. In some versions, additional access to special Android features is requested. Then, supposedly to confirm the identity, the victim is asked to tap their bank card to the smartphone. When this happens, the malicious application reads the data via NFC and immediately sends it to the attacker's server. From there, the information is transmitted to another smartphone, which is with the drop, an accomplice of the criminals responsible for withdrawing money. This device then emulates the victim's card at the payment terminal or ATM.
The malicious application on the victim's smartphone also requires the victim to enter the PIN code from the card (as when paying at a terminal or withdrawing cash at an ATM) and transmits it to the attackers.

In early versions of the attack, criminals simply stood by the ATM with a phone ready to quickly use the card of the deceived user. Later, the malicious software was improved to allow data to be used in stores in a delayed manner, not in real-time. For the victim, the theft process is barely noticeable: the card doesn't leave the owner, its details don't need to be entered or dictated, and notifications about money withdrawals may arrive with a delay or be intercepted by the malicious application.
Among the alarming signs that may indicate a direct NFC attack:
  • An offer to install an application not from official stores;
  • A request to tap the bank card to the smartphone.

Reverse Attack with NFCGate


The reverse attack is a newer and more sophisticated scheme. In this scenario, the victim's smartphone doesn't read the card but emulates the attacker's card. All actions appear completely safe to the victim - there is no need to dictate card details, provide any codes or tap the card to the smartphone. As in the direct scheme, everything starts with social engineering. The user is called or messaged, convincing them to install an application for contactless payments, card protection or even working with the digital dollar. After installation, the new application asks to make itself the default system for contactless payments and this step is critically important. Thanks to it, the malware doesn't require root access - user consent is sufficient. Then, the malicious application connects to the attacker's server in the background, and NFC data from a card belonging to one of the criminals is transmitted to the victim's device. This step is unnoticed by the victim. In the next stage, the victim is directed to an ATM. Under the pretext of "depositing money into a secure account" or "transferring to yourself", the person is asked to tap the phone to the ATM's NFC module. At this moment, the ATM actually works with the criminal's card. The victim is given the PIN code in advance, presented as new or temporary. As a result, all the money deposited or transferred by the victim goes to the criminals' account.

Signs of this attack include:
  • A request to change the default NFC payment system;
  • Information about a new PIN code;
  • A scenario where the victim is instructed to go to an ATM and perform certain actions according to someone else's instructions.

How to Protect Against NFC Attacks


Attacks using NFC relay rely more on user trust than technical vulnerabilities. Simple precautions can help protect against them.
  • Don't agree to change the default contactless payment system (Google Pay, Samsung Pay, etc).
  • Don't tap your bank card to your smartphone at the request of strangers or by the request of applications. Legitimate applications sometimes use the camera to scan the card number, but not the NFC reader.
  • Don't perform operations at an ATM according to the instructions of strangers, no matter who they claim to be.
  • Don't install applications sent in messengers, social networks, via SMS links or recommended during a phone call, even if they come from the name of support or police.
  • Use comprehensive protection for your Android smartphones to prevent fraudulent calls, visiting phishing sites, and installing malicious software.
  • Try to use only official app stores and if that is not possible, manually visit the official websites of banks and other organizations to download known clean versions of mobile applications. When downloading from an app store, check reviews, the number of downloads, publication date and app rating.
  • When working with an ATM, use a physical card, not a smartphone.
  • Regularly check the Default Payment Application setting in your smartphone's NFC settings. If you see suspicious applications in the list, remove them immediately and perform a full check of the smartphone for other malicious software.
  • Study the list of applications with access to the Accessibility service in Android settings - this feature is often abused by malicious software. Suspicious applications should either be disconnected from Accessibility or removed.
  • Add the official support numbers of banks where you have accounts to your smartphone's contact list and call the hotline immediately if you suspect fraud.
  • If your card may have been compromised - block it immediately.
 
You must log in or register to reply here.
Top Bottom