ESET researchers discovered NGate — an Android malware that weaponizes NFC technology to steal tap-to-pay data from physical credit and debit cards and relay it to an attacker’s device. The attack chains social engineering, phishing, and NFC relay together, ending with fraudulent ATM withdrawals using a victim’s cloned card — no physical card theft required.
Stories Covered
NGate Android Malware: NFC Relay Attack Clones Tap-to-Pay Cards Without Touching Them
NGate is built on NFCGate, a legitimate research tool developed by students at Germany’s University of Darmstadt for capturing, analyzing, and relaying Near Field Communication traffic between devices. ESET, who discovered and named the malware, called it the first of its kind observed in the wild exploiting NFC relay for financial fraud. The attack begins with an SMS to potential victims — typically claiming a tax-related issue — that redirects them to a Progressive Web App (PWA) or web APK. These fake apps mimic bank interfaces and harvest banking credentials including account ID, birthdate, and card PIN. A follow-up phone call from a fake bank employee instructs the victim to enable NFC on their phone and hold their payment card against the back of the device. NGate captures the card’s NFC data and relays it through a server to the attacker. Czech authorities arrested a 22-year-old suspect in connection with the campaign.
The technical mechanism exploits how contactless payment tokenization works. When a card is registered with Google Pay or Apple Pay, a token is generated and stored on the device — not the raw card number. That token is what the phone transmits to payment terminals and ATMs. NGate captures the NFC signals from the victim’s physical card (which also broadcasts tokenized payment data), relays those signals to the attacker’s Android device, and injects them into the device’s secure memory. The attacker’s phone needs to be rooted to access the secure memory areas where payment tokens are stored — once it is, the attacker can present the phone at any NFC-enabled ATM and impersonate the victim’s card. Combined with the PIN captured during phishing, the attacker has everything needed for a full ATM withdrawal. If the NFC relay fails, the fallback is a direct bank transfer using the credential data already stolen.
The attack succeeds because it requires the victim to do almost nothing unusual — holding a card against a phone is a normal behavior that people already associate with tap-to-pay setup. The defense is straightforward: banks do not call customers and ask them to install apps or hold cards against their phone. Any unsolicited call instructing you to download something or enable a phone feature for “verification” should be hung up on immediately. If in doubt, call the bank back using the number on the card — not the number the caller provides. NGate also demonstrates why sideloaded apps (installed outside the Play Store or App Store) remain dangerous even when the social engineering story is plausible. Official app stores are not perfect, but they present a meaningfully higher barrier than a link in an SMS.
Leave a Reply