₽432 million in 3 months — the price of contactless trust.
Cybersecurity firm F6 has reported the emergence of a new variant of malware based on NFCGate now spreading across Russia. This tool enables cybercriminals to remotely access bank cards via smartphone NFC modules. Since the first attack recorded in August 2024 through the end of Q1 2025, total losses from all known versions of the malware reached 432 million rubles. From January to March, an average of 40 successful attacks were recorded daily, with average thefts of around 120,000 rubles per incident.
Originally, NFCGate was created in 2015 by German university students as a research tool for NFC technology. However, cybercriminals repurposed it for malicious use, creating multiple modified versions. In early iterations, users would be tricked into installing the app under the guise of a legitimate application, then prompted to tap their card and enter a PIN. That data was immediately sent to criminals, who could then withdraw funds via ATMs.
In January 2025, F6 analysts detailed the use of NFCGate in fraud schemes. By February, a fundamentally new version emerged — implementing a “reverse” strategy. This time, no drop (money mule) was needed. Instead, the victim was manipulated into initiating the transaction themselves, thinking they were transferring funds to their own account, while in reality the money was being funneled to the criminals.
How the Attack Works
The attack has two stages:
- Initial Infection: The victim is persuaded to install a malicious APK — typically under the pretense of “enhanced security,” a “high-yield investment,” or a digital ruble transfer. Once installed, the app is set as the default payment system, silently connecting the device to the attackers’ infrastructure.
- ATM Stage: The victim is directed to an ATM and given a “new” PIN. In reality, the app emulates a drop's card, and the user unknowingly completes a transaction that sends money to the criminals.
Confirmed Scale of Attacks
In March 2025 alone, over 1,000 confirmed attacks were recorded, all targeting customers of Russia’s largest banks. Several hundred drop cards were involved, each reused in at least 3–4 fraud attempts. The average loss per attack was about 100,000 rubles.
Key Technical Differences in the New Version
F6 analysts have identified seven critical differences in this latest NFCGate variant:
- No card tapping or PIN entry is requested during setup.
- Fewer permissions are required than in the original NFCGate.
- Disguised as a contactless payment app.
- No root access needed — attackers bypass this by tricking users into setting the app as the default payment system.
- Expanded command list from the attackers’ server.
- Hides itself from the main screen; it can only be found through device settings.
- Uses multiple techniques to evade antivirus detection. In F6 tests, popular security tools failed to detect this reverse version.
F6 emphasized that “in the hands of cybercriminals, a legitimate tool like NFCGate has quickly become one of the primary threats to Russian bank customers.” They note that new, more advanced versions are appearing monthly, capable of bypassing anti-fraud systems and remaining hidden from security software. The reverse version is already being sold on the dark web, indicating both high demand and widespread distribution.
This silent, sophisticated attack method is a stark reminder that even trusted technologies like NFC can become powerful tools for fraud when weaponized — especially in environments where digital trust is taken for granted.