NFC Fraud Explodes 35x: New Attacks Hijack Contactless Payments via NFCGate Malware
ESET researchers have identified a new wave of cyberattacks exploiting data from contactless payments via NFC technology. Initially targeting clients of Czech banks, this malicious campaign has now begun to spread rapidly across the globe.
According to ESET’s latest Threat Report for the first half of 2025, the number of NFC-related attacks has surged thirty-fivefold compared to the end of 2024. This alarming escalation highlights how swiftly cybercriminals are adapting to vulnerabilities in the technology underpinning contactless payments, which relies on the short-range exchange of data through radio signals.
While the global NFC market continues to expand—projected to grow from $21.69 billion in 2024 to $30.55 billion by 2029—the once-effective safeguards such as encryption and tokenization are proving increasingly inadequate against sophisticated attack techniques.
ESET notes that this new threat combines traditional elements of social engineering, phishing, and Android-based malware with a tool originally developed for academic research—NFCGate. Conceived by students at the Technical University of Darmstadt for secure testing of NFC systems, the tool has since been co-opted into the criminal toolkit under the alias NGate.
The attack begins with SMS messages containing phishing links that redirect victims to counterfeit banking websites. From there, the target is lured into installing a progressive web app (PWA), which bypasses official app store vetting and circumvents mobile security warnings.
Once login credentials are entered, the attackers gain access to the victim’s bank account and subsequently contact them by phone, posing as bank representatives. Under the pretense of account protection, the victim is persuaded to install the malicious NGate software.
This malware leverages NFCGate’s capabilities to intercept data from bank cards when they are brought near the smartphone. The stolen information is then used to emulate the card on the attacker’s device, enabling unauthorized payments or ATM withdrawals—without leaving digital traces.
A further evolution of the attack, dubbed Ghost Tap, links the compromised card data and one-time verification codes to the attackers’ own digital wallets, such as Apple Pay or Google Pay. This facilitates large-scale fraudulent transactions through contactless payment systems. Experts warn that these operations are often powered by vast networks of Android devices loaded with stolen credentials.
Despite the technical sophistication of these attacks, users can significantly mitigate the risks by adhering to basic security practices. ESET emphasizes the importance of avoiding suspicious links and refraining from installing apps from unverified sources. Additionally, users are advised to set low spending limits for contactless payments and to use RFID-blocking sleeves or cards to prevent unauthorized data skimming.
An added layer of protection can be achieved through comprehensive mobile security solutions that provide 24/7 threat monitoring, phishing defenses, and app permission auditing—tools capable of detecting malicious behavior in its earliest stages.
As contactless payments become ever more prevalent and their convenience undeniable, it is imperative that users remain vigilant. Security begins with awareness and a proactive approach to personal device safety—lest the benefits of convenience come at the cost of severe financial consequences.
