Login
Direct and reverse NFC relay attacks being used to steal money | Kaspersky official blog
Thanks to the convenience of NFC and smartphone payments, many people no longer carry wallets or remember their bank card PINs. All their cards reside in a payment app, and using that is quicker than fumbling for a physical card. Mobile payments are also secure β the technology was developed relatively recently and includes numerous anti-fraud protections. Still, criminals have invented several ways to abuse NFC and steal your money. Fortunately, protecting your funds is straightforward: just know about these tricks and avoid risky NFC usage scenarios.
What are NFC relay and NFCGate?
NFC relay is a technique where data wirelessly transmitted between a source (like a bank card) and a receiver (like a payment terminal) is intercepted by one intermediate device, and relayed in real time to another. Imagine you have two smartphones connected via the internet, each with a relay app installed. If you tap a physical bank card against the first smartphone and hold the second smartphone near a terminal or ATM, the relay app on the first smartphone will read the cardβs signal using NFC, and relay it in real time to the second smartphone, which will then transmit this signal to the terminal. From the terminalβs perspective, it all looks like a real card is tapped on it β even though the card itself might physically be in another city or country.
This technology wasnβt originally created for crime. The NFCGate app appeared in 2015 as a research tool after it was developed by students at the Technical University of Darmstadt in Germany. It was intended for analyzing and debugging NFC traffic, as well as for education purposes and experiments with contactless technology. NFCGate was distributed as an open-source solution and used in academic and enthusiast circles.
Five years later, cybercriminals caught on to the potential of NFC relay and began modifying NFCGate by adding mods that allowed it to run through a malicious server, disguise itself as legitimate software, and perform social engineering scenarios.
What began as a research project morphed into the foundation for an entire class of attacks aimed at draining bank accounts without physical access to bank cards.
A history of misuse
The first documented attacks using a modified NFCGate occurred in late 2023 in the Czech Republic. By early 2025, the problem had become large scaleΒ and noticeable: cybersecurity analysts uncovered more than 80 unique malware samples built on the NFCGate framework. The attacks evolved rapidly, with NFC relay capabilities being integrated into other malware components.
By February 2025, malware bundles combining CraxsRAT and NFCGate emerged, allowing attackers to install and configure the relay with minimal victim interaction. A new scheme, a so-called βreverseβ version of NFCGate, appeared in spring 2025, fundamentally changing the attackβs execution.
Particularly noteworthy is the RatOn Trojan, first detected in the Czech Republic. It combines remote smartphone control with NFC relay capabilities, letting attackers target victimsβ banking apps and cards through various technique combinations. Features like screen capture, clipboard data manipulation, SMS sending, and stealing info from crypto wallets and banking apps give criminals an extensive arsenal.
Cybercriminals have also packaged NFC relay technology into malware-as-a-service (MaaS) offerings, and reselling them to other threat actors through subscription. In early 2025, analysts uncovered a new and sophisticated Android malware campaign in Italy, dubbed SuperCard X. Attempts to deploy SuperCard X were recorded in Russia in May 2025, and in Brazil in August of the same year.
The direct NFCGate attack
The direct attack is the original criminal scheme exploiting NFCGate. In this scenario, the victimβs smartphone plays the role of the reader, while the attackerβs phone acts as the card emulator.
First, the fraudsters trick the user into installing a malicious app disguised as a banking service, a system update, an βaccount securityβ app, or even a popular app like TikTok. Once installed, the app gains access to both NFC and the internet β often without requesting dangerous permissions or root access. Some versions also ask for access to Android accessibility features.
Then, under the guise of identity verification, the victim is prompted to tap their bank card to their phone. When they do, the malware reads the card data via NFC and immediately sends it to the criminalsβ server. From there, the information is relayed to a second smartphone held by a money mule, who helps extract the money. This phone then emulates the victimβs card to make payments at a terminal or withdraw cash from an ATM.
The fake app on the victimβs smartphone also asks for the card PIN β just like at a payment terminal or ATM β and sends it to the attackers.
In early versions of the attack, criminals would simply stand ready at an ATM with a phone to use the duped userβs card in real time. Later, the malware was refined so the stolen data could be used for in-store purchases in a delayed, offline mode, rather than in a live relay.
For the victim, the theft is hard to notice: the card never left their possession, they didnβt have to manually enter or recite its details, and the bank alerts about the withdrawals can be delayed or even intercepted by the malicious app itself.
Among the red flags that should make you suspect a direct NFC attack are:
- prompts to install apps not from official stores;
- requests to tap your bank card on your phone.
The reverse NFCGate attack
The reverse attack is a newer, more sophisticated scheme. The victimβs smartphone no longer reads their card β it emulates the attackerβs card. To the victim, everything appears completely safe: thereβs no need to recite card details, share codes, or tap a card to the phone.
Just like with the direct scheme, it all starts with social engineering. The user gets a call or message convincing them to install an app for βcontactless paymentsβ, βcard securityβ, or even βusing central bank digital currencyβ. Once installed, the new app asks to be set as the default contactless payment method β and this step is critically important. Thanks to this, the malware requires no root access β just user consent.
The malicious app then silently connects to the attackersβ server in the background, and the NFC data from a card belonging to one of the criminals is transmitted to the victimβs device. This step is completely invisible to the victim.
Next, the victim is directed to an ATM. Under the pretext of βtransferring money to a secure accountβ or βsending money to themselvesβ, they are instructed to tap their phone on the ATMβs NFC reader. At this moment, the ATM is actually interacting with the attackerβs card. The PIN is dictated to the victim beforehand β presented as βnewβ or βtemporaryβ.
The result is that all the money deposited or transferred by the victim ends up in the criminalsβ account.
The hallmarks of this attack are:
- requests to change your default NFC payment method;
- a βnewβ PIN;
- any scenario where youβre told to go to an ATM and perform actions there under someone elseβs instructions.
How to protect yourself from NFC relay attacks
NFC relay attacks rely not so much on technical vulnerabilities as on user trust. Defending against them comes down to some simple precautions.
- Make sure you keep your trusted contactless payment method (like Google Pay or Samsung Pay) as the default.
- Never tap your bank card on your phone at someone elseβs request, or because an app tells you to. Legitimate apps might use your camera to scan a card number, but theyβll never ask you to use the NFC reader for your own card.
- Never follow instructions from strangers at an ATM β no matter who they claim to be.
- Avoid installing apps from unofficial sources. This includes links sent via messaging apps, social media, SMS, or recommended during a phone call β even if they come from someone claiming to be customer support or the police.
- Use comprehensive security on your Android smartphones to block scam calls, prevent visits to phishing sites, and stop malware installation.
- Stick to official app stores only. When downloading from a store, check the appβs reviews, number of downloads, publication date, and rating.
- When using an ATM, rely on your physical card instead of your smartphone for the transaction.
- Make it a habit to regularly check the βPayment defaultβ setting in your phoneβs NFC menu. If you see any suspicious apps listed, remove them immediately and run a full security scan on your device.
- Review the list of apps with accessibility permissions β this is a feature commonly abused by malware. Either revoke these permissions for any suspicious apps, or uninstall the apps completely.
- Save the official customer service numbers for your banks in your phoneβs contacts. At the slightest hint of foul play, call your bankβs hotline directly without delay.
- If you suspect your card details may have been compromised, block the card immediately.
