It all started, as it often does, with curiosity. Students from the Secure Mobile Networking Lab at TU Darmstadt were experimenting with NFC and came up with a tool — NFCGate. An open-source Android app, it was intended to serve as a lab instrument — to test protocol vulnerabilities, peek into the data stream, and understand how everything works. Thus was born NFCGate — lightweight, compact, and neatly assembled, a kind of digital Swiss Army knife for NFC communication.
The app can do quite a bit:
- intercept traffic exchanged over NFC between devices;
- create a live relay between two devices by forwarding signals through a server (yes, real-time);
- replay previously captured packets (convenient for repeating scenarios);
- and even clone NFC tags — in one click, just like in old spy movies.
The developers from TU Darmstadt emphasized that this tool was strictly for research. No unauthorized use, science only. And every launch of NFCGate was supposed to remind users of these limits — but, unfortunately, the story quickly veered off course.
The abuse mechanism of NFCGate
As with any shiny new toy, there were those who wanted to use it outside of its intended purpose. Soon, NFCGate began appearing in descriptions of attacks on bank cards. And that’s where real-world crime begins, not lab testing.
How NFCGate is used in real attacks
It all starts out seemingly harmless. A message arrives — supposedly from a bank or a "security service." It asks the user to download an app urgently to “verify” something. The app looks legitimate and polished. After installation, the user is prompted to hold their card to the phone — supposedly for verification. And this is where the black magic begins. The NFC reader captures the card’s data and sends it away — and now the card isn’t only in the owner’s possession.
With that data, an attacker can do plenty — make purchases, withdraw money, emulate the card on another device. It all happens remotely, while the victim remains unaware. Until the money disappears.
Malware installation on victim devices
To distribute this malicious “gift” as widely as possible, attackers use a standard toolkit:
- phishing messages with malicious links (SMS or messengers);
- apps that imitate legitimate ones (same colors, icons, even familiar menus);
- websites that mimic official sources but deliver infected downloads.
Once installed on the phone, the app asks for very little — just NFC access. That’s enough. And antivirus programs often detect nothing suspicious — the permissions requested seem minimal, and behavior appears routine.
How bank card data is intercepted via NFC
Once everything is installed and running, the attack flow is simple:
- the user taps their card to the phone; the app immediately grabs the chip data;
- the data is sent to the attacker (to a server or directly to their smartphone);
- the attacker launches card emulation (which can be used for purchases or ATM withdrawals).
No physical card is needed — only its digital clone. But terminals, especially contactless ones, accept it as if it were the real card. This is how a few lines of data turn into a full-blown theft.
Malware distribution methods
To spread infected versions of NFCGate and similar tools, attackers use tactics that blend psychology, visual mimicry, and technology. The result is a kind of digital theater — with the victim in the lead role, unknowingly.
- They pose as trusted services. Fake banking apps, tax portals, and even government platforms are crafted with stunning realism — icons, UI, names. When the user installs the app, they see typical permissions: access to NFC, internet, and other basic features. Everything looks normal.
- They attack via messengers and phishing sites. Malicious links circulate via WhatsApp, Telegram, and good old SMS. The sites are pixel-perfect replicas of official ones — logos, branding, support phrases — but in reality, they deliver a malicious APK.
- They hide code inside already infected apps. Some malware isn’t direct. It arrives as part of another app and later downloads NFC modules in the background. The user may never know their phone has become a cybercriminal's tool.
If installation from unknown sources is enabled — the risk of infection skyrockets. Sometimes, one tap is all it takes.
Protection recommendations
For users:
- avoid installing apps from unofficial sources or suspicious links;
- carefully check what permissions the app requests (especially NFC and internet);
- use antivirus tools with behavior analysis, not just static signature checks;
- keep your phone’s security updates current and disable NFC when not in use;
- never tap your card to a phone unless prompted by an official banking app.
For banks:
- monitor spikes in NFC transactions (especially from new or untrusted devices);
- enable behavioral analytics in payment processing to catch unusual patterns;
- remind customers that NFC isn’t a toy and fake apps do exist;
- use tokenization and multi-factor authentication for transactions.
For developers:
- implement integrity and authenticity checks in your apps;
- validate operations server-side and bind them to the physical device;
- publish only on official app stores where apps are moderated;
- audit your NFC-related code for potential abuse scenarios.
Where to test safely
If you're researching NFC vulnerabilities or app behavior, it's critical to use isolated, controlled environments. PSB.Hosting provides secure VPS servers with support for Android emulation, Docker, and traffic analysis tools.
What PSB.Hosting offers:
- High-performance VPS with SSD/NVMe storage
- Customizable environments — including Android, ADB, and NFC testing tools
- Full control over traffic, APIs, security, and network isolation
This infrastructure is ideal for research, threat modeling, and safe simulation — without risking your production systems.
Conclusion
NFCGate began as a project for academic research but quickly caught the attention of those on the other side of the law. Its story demonstrates how even the most helpful tool can become dangerous when oversight disappears.