Alliance of Deception: Cybercriminals Exploit CraxsRAT and NFCGate to Target Bank Clients

The company **F6**, a leading developer of technology for combating cybercrime, has uncovered recent attacks targeting clients of Russian banks, utilizing a combination of the Android Trojan **CraxsRAT** and the app **NFCGate**. This new method allows cybercriminals to remotely install malicious software on users’ devices without making a single phone call, enabling them to intercept and transmit credit card data via NFC modules. According to F6 analysts, in March 2025, there were over **180,000** compromised devices in Russia featuring CraxsRAT and NFCGate.

**Frankenstein on Your Smartphone**

In the first quarter of 2025, the **F6 Fraud Protection** solution noted a rise in the share of compromised devices among Russian users that simultaneously run the CraxsRAT Trojan and the malicious software based on the legitimate NFCGate program. In F6’s **report**, these applications were highlighted as key threats to Russian bank clients in 2025, confirming our forecast.

**CraxsRAT** is a multifunctional Android Trojan initially developed using the code of the malware SpyNote. It infiltrates mobile devices masquerading as legitimate applications and updates. Once installed, it provides cybercriminals with remote control capabilities, allowing them to execute various actions unbeknownst to the user. F6 researchers first detailed the **CraxsRAT** Trojan in October 2024.

According to F6 analysts, the number of **CraxsRAT** infections in Russia surged by 2.5 times in February 2025 compared to December 2024, with over **22,000** compromised Android devices having this malware installed.

**NFCGate** is a mobile application created by German students in 2015, which criminals have leveraged to develop malicious software. When this app is installed on a device masquerading as a legitimate program, it prompts users to tap their bank card to the NFC module and enter a PIN. This data is then immediately transmitted to the perpetrators’ devices, enabling them to withdraw funds at ATMs. The criminal use of **NFCGate** was first reported by F6 researchers in January 2025.

The total financial damage from attacks on clients of Russian banks involving NFCGate-based malware in the first two months of 2025 is estimated to be nearly **200 million** rubles. Attack incidents in February rose by 80% compared to January. Since the start of the year, only a small fraction of the infected devices—over 1,200—has been targeted. By the end of February, the total number of compromised Android devices with malicious versions of NFCGate surpassed **158,000** and continues to increase.

**No More Phone Calls Needed**

At the beginning of 2025, attackers primarily relied on phone calls and instant messages to deliver NFCGate to users’ devices. They would convince victims of the necessity to install a special mobile app on the pretext of «protecting» their bank cards, offering better terms from banks, hacking ‘Gosuslugi’ accounts, renewing mobile contracts, replacing medical policies, paying utility services, ensuring security, or verifying identity.

**Now, criminals more frequently utilize the CraxsRAT Trojan to deploy NFCGate onto users’ devices.** This is evidenced by the rise in the number of devices simultaneously running CraxsRAT and NFCGate. Furthermore, F6 specialists have discovered listings in the dark web offering rental of malicious software that combines the features of these applications.

**The combined use of CraxsRAT and NFCGate greatly enhances criminals’ ability to steal money from bank customers.** The primary danger of this malware combination is that fraudsters no longer need to call and persuade users to install an «app.» It merely takes the careless installation of one disguised application for them to gain complete access to all banking apps, intercept notifications and confirmation codes, and withdraw stolen funds from accounts.

**Thieves Disguised as Protectors**

F6 specialists analyzed the infiltration tactics of CraxsRAT and NFCGate into users’ devices.

The main delivery method for **CraxsRAT** is social engineering. Cybercriminals spread malicious APK files disguised as photo archives, videos, and various applications through messaging platforms like WhatsApp and Telegram. The Cyber Intelligence department and the Financial Fraud Prevention department at F6 discovered over **140** unique variants of CraxsRAT during the investigation.

The top 10 «masks» for this malicious application include:

— «Фотографии.apk,» «Photo.apk,» and «Мои голые видео.apk» (My Naked Videos)
— Applications from government services and agencies (e.g., «Gosuslugi,» «Ministry of Health,» «Ministry of Digital Development,» «Central Bank of the Russian Federation,» etc.)
— A fake application called «GosZashchita» (State Protection)
— Document management apps
— Video viewing applications
— Photo editing applications
— Apps for mobile operators in Russia and Belarus
— Popular antivirus programs
— Call-blocking apps
— «Shadow» versions of Telegram and other modules for the messenger (like Telegram Video Player)

F6 specialists also identified over **100** unique Android malware samples based on NFCGate.

The top 10 fake applications under which this malicious software disguises itself include:

— Apps from government entities (including the Federal Tax Service, Bank of Russia, Ministry of Digital Development)
— Nonexistent apps for government organizations (e.g., «Central Bank of Russia Card Protection,» «Gosuslugi Verification,» «Security Certificate,» «GosSecure»)
— «Support»
— 5G
— Mobile operator applications
— Popular antivirus programs
— Applications for free internet calls
— Video calling apps
— Contactless payment programs
— Car diagnostic app

«Using the combination of CraxsRAT and NFCGate, criminals can drain money from user accounts without making a single call. This opens up new avenues for cashing out stolen funds and executing a full cycle of fraud. This combination of malware allows for complete access to mobile devices, including remote banking applications. Criminals can intercept both bank notifications and confirmation codes as well as authorization data, facilitating direct withdrawals from the victim’s account by intercepting NFC traffic and compromising card data,» explains **Konstantin Grebenyuk**, an expert in financial fraud prevention at F6.

**How to Protect Yourself from CraxsRAT and NFCGate. Recommendations from F6 Specialists for Users.**

— Do not engage in conversations via messaging apps with unknown contacts, regardless of who they claim to be: bank employees, postal and mobile operators, government services, or utility providers.

— Avoid clicking on links from SMS and messages in messenger apps, even if they appear to be from banks or other official bodies.

— Refrain from installing applications through links found in SMS, messenger messages, emails, or suspicious websites. Only install applications from official app stores, like RuStore and Google Play. Always check app reviews before installing, paying particular attention to negative reviews to help identify fake and potentially harmful programs.

— If you are asked to install or update a bank app and provided with a link, call the hotline number found on the back of your bank card to verify if the offer is genuine.

— Never disclose your CVV and PIN codes for bank cards, as well as usernames and passwords for online banking, to strangers. Avoid inputting this information on unfamiliar or suspicious websites and apps, especially if it’s your first time installing them.

— If you believe your bank card has been compromised, immediately block it by calling your bank’s hotline or using the banking app.

**F6’s Recommendations for Banks’ Information Security Departments.**

— Eliminate communication with clients through messaging apps. Inform customers that bank employees do not use these platforms for client interaction.

— Request a physical card from users during suspicious authorizations and NFC ATM transactions.

— Consider user geolocation data.

— Implement additional protection measures to detect third-party malicious applications on the user’s device.

— Augment anti-fraud systems with ATM network events and tokenization events.

Banks can protect themselves from such operations through anti-fraud solutions that analyze session and behavioral data, as well as new technologies for detecting suspicious activity capable of analyzing both payment senders and receivers. For instance, to assess transaction risk and verify recipients (KYC, know your customer), modules in the **F6 Fraud Protection** solution can facilitate the collection and exchange of cross-channel session data, including device identifiers, network connection parameters, compromise indicators, and anonymized personal and transactional data in real-time.