A sophisticated new malware campaign targeting Near Field Communication (NFC) payment systems has emerged as a significant global cybersecurity threat, transforming what began as a localized attack in Eastern Europe into a worldwide phenomenon.
The malicious operation, first identified by ESET researchers in late 2023 among Czech banking customers, has now expanded across multiple continents with devastating efficiency.
The threat has demonstrated explosive growth, with ESET telemetry data revealing a staggering 35-fold increase in NFC-related attacks during the first half of 2025 compared to the second half of 2024.
This dramatic surge underscores the rapid adaptation and scalability of cybercriminal operations targeting contactless payment infrastructure, capitalizing on the widespread adoption of mobile payment technologies.
The attack methodology combines traditional social engineering tactics with advanced NFC manipulation techniques, creating a multi-layered deception that has proven highly effective against unsuspecting victims.
ESET researchers identified the malware as exploiting NFCGate technology, originally developed as a legitimate research tool by students at the Technical University of Darmstadt’s Secure Mobile Networking Lab, but now weaponized for financial fraud.
The initial attack vector relies on SMS-based phishing campaigns that direct victims to fraudulent banking websites, subsequently deploying malicious Progressive Web Apps (PWAs) that bypass traditional app store security measures.
These applications harvest banking credentials before initiating voice-based social engineering attacks, where criminals impersonate bank employees to manipulate victims into downloading the NGate malware.
Technical Deep Dive: NFC Relay Attack Mechanism
The core technical innovation lies in the malware’s ability to create a seamless NFC relay between victim devices and attacker-controlled systems.
Once installed, NGate prompts victims to place their payment cards against their smartphone’s NFC reader under the pretense of PIN verification or security updates.
During this process, the malware captures and relays the card’s NFC data to remote attackers in real-time.
The relay mechanism operates by establishing a covert communication channel between the victim’s device and the attacker’s infrastructure, effectively creating a virtual extension of the victim’s payment card.
This allows cybercriminals to clone card functionality onto their own devices, enabling unauthorized transactions without requiring physical possession of the original card.
The attack’s sophistication extends to its evolution into “Ghost Tap” operations, where compromised card data populates entire farms of Android devices programmed for automated fraudulent transactions across global payment networks.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
Click Here For The Original Source.
