Cybersecurity researchers at F6 have uncovered a sophisticated modification of the NFCGate application that presents a significant evolution in ATM-based financial fraud. This new variant enables cybercriminals to redirect victims’ money transfers to controlled accounts without requiring physical presence at ATMs, marking a concerning advancement in financial cybercrime techniques.
From Academic Tool to Cybercrime Weapon
Originally developed in 2015 at the Technical University of Darmstadt as a legitimate NFC protocol debugging tool, NFCGate has undergone a malicious transformation. The impact of this evolution has been substantial, with financial losses reaching 432 million rubles in Q1 2025 alone due to various NFCGate-based attacks.
Technical Analysis of the Reverse Attack Mechanism
The February 2025 variant implements what security experts term a “reverse” fraud scheme. Threat actors distribute the malware disguised as legitimate banking applications or digital ruble services. Once installed, the malware covertly emulates the attackers’ payment cards on the victim’s device, creating a sophisticated relay attack mechanism.
Advanced Stealth Capabilities
The malware exhibits sophisticated concealment features, including minimal permission requirements and enhanced masking techniques. A key component, the libapp.so library, removes the application from the Android launcher, significantly reducing detection probability. The malware maintains encrypted communication with command-and-control servers for card data exfiltration and command reception.
Threat Intelligence and Impact Assessment
March 2025 statistics reveal over 1,000 successful attacks against Russian bank customers, with average losses of 100,000 rubles per incident. The infection has compromised approximately 175,000 devices across Russia. Most concerning is the malware’s ability to evade detection by current antivirus solutions, creating a significant security challenge.
The threat is amplified by the malware’s availability in darknet markets, where it commands prices of $15,000 for outright purchase or $5,000 plus commission for rental arrangements. Security experts strongly advise users to exercise extreme caution when installing mobile applications, particularly those claiming to enhance banking services. The implementation of robust mobile security measures and strict application verification processes remains crucial for protecting against this evolving threat. Financial institutions are urged to enhance their transaction monitoring systems to detect and prevent unauthorized NFC-based operations.
