NGate¶
NGate is the first Android malware to use NFC relay attacks to clone victims' physical payment cards and withdraw cash from ATMs. ESET discovered the family in August 2024, tracing active campaigns back to November 2023 targeting clients of Czech banks. The malware repurposes NFCGate, an open-source NFC research tool developed at the Technical University of Darmstadt, to capture NFC data from a victim's payment card and relay it in real time to an attacker's rooted Android device. That device then emulates the cloned card to perform contactless ATM withdrawals. Although the primary suspect was arrested in March 2024 and the original campaign ceased, NGate's technique proved highly influential. ESET's H2 2025 threat report documented an 87% increase in NFC-targeting Android threats, with successors like GhostTap and SuperCard building directly on the approach NGate pioneered.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | November 2023 (campaign start); March 2024 (malware samples identified) |
| Last Seen | March 2024 (suspect arrested, campaign ceased) |
| Status | Inactive (original campaign); technique spawned active successors |
| Type | NFC relay malware, banking fraud |
| Attribution | Unknown, one suspect arrested in Czech Republic |
| Distribution | Malicious PWAs (Progressive Web Apps) and WebAPKs |
Origin and Lineage¶
NGate has no lineage to existing Android banking trojan families. Its technical foundation comes from NFCGate, an academic tool created by researchers at TU Darmstadt for NFC security testing and analysis. NFCGate is designed to capture, analyze, and relay NFC traffic between devices for legitimate research purposes. NGate's developers repurposed the relay functionality for criminal use, packaging it into a malicious app distributed to victims under the guise of banking applications.
ESET's analysis confirmed that no prior mobile malware had implemented NFC relay for financial fraud. NGate represented an entirely new attack category on the mobile platform.
The technique has since been adopted and extended by multiple successors. GhostTap applies the NFC relay concept at broader scale, SuperCard focuses on contactless payment fraud, and RatOn (documented by ThreatFabric) combines NFC relay with Automated Transfer Systems (ATS) for a hybrid approach.
Distribution¶
NGate campaigns used Progressive Web Apps (PWAs) and WebAPKs as the initial delivery mechanism, a technique that was novel at the time and has since become more common in mobile phishing.
| Vector | Details |
|---|---|
| Malicious PWAs | Progressive Web Apps impersonating Czech banking portals, installed via browser prompts |
| WebAPKs | Chrome-generated APKs from PWA manifests, appearing more legitimate than sideloaded apps |
| Smishing | SMS messages directing victims to phishing pages that prompt PWA installation |
| Social engineering | Victims instructed to tap their physical payment card against their phone after installation |
Attack Flow¶
- Victim receives a smishing message impersonating their Czech bank
- The link leads to a phishing page that prompts installation of a PWA or WebAPK
- The installed app mimics the bank's interface and requests banking credentials
- The app instructs the victim to enable NFC and tap their physical payment card against their phone "for verification"
- NGate captures the NFC data from the payment card via the device's NFC reader
- The captured NFC data is relayed in real time to the attacker's rooted Android device
- The attacker's device emulates the cloned card using the relayed NFC data
- The attacker performs a contactless withdrawal at an ATM using the emulated card
The social engineering component is critical: the victim must physically hold their payment card against their phone's NFC reader. The fake banking app provides a convincing UI that makes this action appear to be a standard verification step.
Capabilities¶
Core Features¶
| Capability | Implementation |
|---|---|
| NFC relay | Captures NFC data from victim's physical card and relays it to attacker's device in real time |
| Card emulation | Attacker's rooted device emulates the cloned card for contactless transactions |
| Credential phishing | Fake banking interface collects login credentials, client IDs, dates of birth |
| PIN capture | Social engineering prompts victim to enter their card PIN within the fake app |
| ATM cash withdrawal | Attacker uses emulated card data at contactless-enabled ATMs |
NFCGate Integration¶
NGate integrates the relay component of NFCGate directly into its APK. The original NFCGate tool requires two devices: a "reader" that captures NFC data and a "server" that receives the relayed data. In NGate's implementation:
- The victim's infected device acts as the reader
- The attacker's rooted Android device acts as the server, receiving NFC data over the internet
- The attacker's device uses host-based card emulation (HCE) to present the cloned card data to an ATM's NFC reader
Technical Details¶
NFC Relay Mechanism¶
The NFC relay is the core technical innovation. When the victim taps their payment card against their phone:
| Step | Technical Detail |
|---|---|
| Capture | Device NFC reader captures the card's NFC communication (ISO 14443) |
| Relay | NFCGate component forwards raw NFC data to attacker's server over HTTPS |
| Emulation | Attacker's rooted device receives data and emulates the card via HCE |
| Transaction | Emulated card presented to ATM NFC reader for contactless withdrawal |
The relay happens in real time, meaning the card data does not need to be stored. The attacker must perform the ATM withdrawal while the victim's card is actively being read. This creates a time-sensitive operation but avoids leaving persistent card data on either device.
PWA and WebAPK Delivery¶
The use of PWAs and WebAPKs for distribution was tactically significant:
| Delivery Type | Advantage |
|---|---|
| PWA | Bypasses Play Store entirely, no APK sideloading warnings, installs via browser |
| WebAPK | Chrome generates a real APK from the PWA manifest, appears in app drawer like a native app |
| Combined | Victims see what looks like a legitimate banking app without triggering Android's sideloading protections |
Limitations¶
NGate had practical constraints that limited its scale:
| Constraint | Detail |
|---|---|
| Physical card required | Victim must physically tap their payment card against the phone |
| Real-time operation | Attacker must be at an ATM during the relay session |
| Rooted device required | Attacker's emulation device needs root access for HCE |
| Contactless ATM required | Target ATM must support NFC-based withdrawals |
| PIN dependency | Attacker needs the victim's PIN (captured via phishing) for ATM transactions |
Permissions¶
| Permission | Purpose |
|---|---|
| NFC | Access device NFC hardware to capture payment card data |
| INTERNET | Relay captured NFC data to attacker's device over the network |
Target Regions¶
| Region | Details |
|---|---|
| Czech Republic | Sole target of the original NGate campaigns |
NGate's geographic scope was limited to Czech bank clients. The phishing pages and PWAs impersonated specific Czech banking institutions. ESET confirmed that all identified victims were customers of Czech banks.
Despite the narrow geographic focus, the technique is universally applicable. Any country with contactless-enabled ATMs and NFC-equipped payment cards is vulnerable to the same approach, which explains why successors have expanded the targeting.
Notable Campaigns¶
November 2023: The NGate campaign begins targeting Czech bank clients through smishing messages and malicious PWAs. Victims are tricked into installing fake banking apps and tapping their payment cards against their phones.
March 2024: Czech police arrest a suspect connected to the NGate operation. The arrest ends the active campaign. At the time of arrest, the suspect had been withdrawing cash from ATMs in Prague using NFC data relayed from victims' devices.
August 2024: ESET publishes the full technical analysis of NGate, revealing the NFC relay technique to the security community. The research identifies NGate as the first mobile malware to weaponize NFC relay for financial fraud and details the use of NFCGate as the underlying framework.
2025: ESET's H2 2025 threat report documents an 87% year-over-year increase in NFC-targeting Android threats. The report attributes this growth directly to the blueprint NGate established, with multiple new families adopting and extending the NFC relay approach.
Related Families¶
NGate pioneered the NFC relay attack category on mobile, and several successors have built on the technique. GhostTap expanded the concept for broader geographic targeting and higher-volume operations. SuperCard focuses specifically on contactless payment fraud using relayed card data. RatOn, documented by ThreatFabric, represents the most advanced evolution by combining NFC relay with Automated Transfer Systems (ATS), enabling both NFC-based card cloning and on-device fraud within a single malware package.
The PWA-based distribution method NGate used has also been adopted by other campaigns. MoqHao and other smishing-focused families have experimented with PWA delivery as an alternative to traditional APK sideloading.
NGate's approach differs fundamentally from overlay-based banking trojans like Octo or Hook, which perform on-device fraud by remotely controlling the victim's banking app. NGate bypasses digital banking entirely by targeting the physical payment card, moving the fraud to the ATM rather than the mobile banking interface.