In 2025, toll road scams have surged globally. These scams typically impersonate legitimate toll operators or government agencies to create a sense of urgency and fear about unpaid fees, tricking victims into disclosing personal and financial information.
Another rising threat in 2025 is NFC relay fraud. Cybercriminals often turn to the open-source NFCGate research project to develop malicious apps capable of NFC relaying.
Created by students at the Secure Mobile Networking Lab at the Technical University of Darmstadt for legitimate security research purposes, the project has been misused by threat actors, particularly following the widespread adoption of contactless payments during the pandemic era.
In the summer of 2024, researchers at ESET publicly disclosed the first malware samples based on the NFCGate project, referring to them as NGate malware. Since then, there has been a significant increase in global criminal interest in NFC relay fraud within the mobile threat landscape.
Recently, we discovered a malware sample that showcases the transformative impact of the NFC relay feature in well-known scam scenarios such as unpaid tolls.
Technical analysis
Initial access
The unpaid toll road scams are primarily spread through fraudulent text messages containing links to phishing websites. However, the nature of this new version suggests that malvertising—when malware is distributed through online advertising—could also serve as a viable distribution method.
During our investigation, we identified two websites responsible for distributing the malicious app and impersonating the Play Store page of the Australian toll road account management app. Still, it remains unclear how links to these websites are being distributed.
At the time of writing, both distribution websites were inactive. The detected domains resolve to the same IP address:
- tmps-info.top (tmps may stand for traffic management plans)
- info-linkt.top
NGate malware
The fraudulent Android app impersonates a legitimate toll road operator in Australia. The genuine app, which allows users to manage their toll road accounts, has been downloaded over a million times from the Google Play Store. In contrast, the fake app is distributed via deceptive websites that mimic the Play Store interface.
Upon launch, the malicious app requests the user’s location and vehicle plate number. It then displays a fabricated unpaid toll notice for $10, accompanied by a warning of a potential $500 penalty if the amount is not paid within three business days. Notably, the notice includes the message “E-tag undetected” in its description field—likely intended to make users believe there was a failure in the seamless electronic toll payment system.
An e-TAG is an electronic device placed in a vehicle that enables automatic toll payments by communicating with toll points. Over one million e-TAGs have been issued in Australia, making this message particularly effective.
Until now, it was unclear why the scammers opted to use an app instead of a phishing website. Typically, malicious apps are used to deploy infostealers or spyware, often targeting two-factor authentication codes delivered via SMS. However, that was not the case here.
A phishing website could have achieved similar results without requiring the user to sideload an app, a process that usually raises suspicion. The reason became evident during the payment process: the app only accepts tap-to-pay transactions. This approach makes the payment process extremely convenient for the victim while simultaneously obscuring the fraudulent nature of the transaction, making it much harder to detect the scam.
Requesting the PIN suggests that this transaction will cost significantly more than $10, which is typical of a well-crafted scam. Payment systems require a cardholder verification method (CVM) for contactless transactions above a certain limit, which varies between banks. Possessing the PIN allows cybercriminals to spend the maximum amount permitted for a purchase.
The technical analysis led us to a Telegram group that develops and supports an NFC relay application called RemoteNFC. The malicious toll app is an exact copy of this application, adapted for the toll road scam with features such as an invisible login process, a redesigned GUI, and corresponding implementation changes.
This is the same operational model used by the threat actor we previously identified in Italy and Spain a few months ago. It is relatively easy to find Malware-as-a-Service (MaaS) providers for NFC relaying on Telegram, who are often Chinese-speaking threat actors.
The RemoteNFC app is a slightly modified version of the NFCGate project. It includes an extra QR code scanner for login, designed to enable MaaS operation. Subscribed users receive a QR code, which they scan to activate the service and access the app’s NFC relay capabilities. Additionally, a lightweight open-source library has been added to implement an app update mechanism.
The NGate malware uses the NFCGate project in relay mode to transfer NFC traffic between two Android phones through a server over the Internet. One device reads an NFC tag, while another emulates an NFC tag using Host Card Emulation (HCE). All traffic on the ISO 14443 layer is relayed.
Conclusion
NFC relay fraud is on the rise globally, as threat actors increasingly exploit NFC technology to enhance their tactics. This emerging cash-out method helps to bypass traditional fraud detection systems and is difficult for users to recognize.
A common element in these schemes is the use of money mules who illicitly register Point-of-Sale (POS) terminals. Unfortunately, most POS terminals or ATMs currently lack the necessary logic to detect relayed NFC communications.
Even if new countermeasures are developed, updating all devices worldwide could take decades. Therefore, early detection and prevention—ideally at the victim’s device—are critical for effective protection. According to the ESET Threat Report H1 2025, NFC fraud has surged by a factor of 35, which aligns with our observations.
Indicator of Compromise (IOC) List
Indicator |
Type |
Description |
|---|---|---|
| 64f5f9309a6b1a86067a05d47af6fb23b6bd968c47ad1a9efbbf3da786ba20ab | SHA256 | NGate malware (Toll road scam) |
| tmps-info.top | Domain | Distribution website |
| info-linkt.top | Domain | Distribution website |
| 103.143.203.249:5566 | IP:PORT | NFCGate server |
| 61defense.icu | Domain | C2 server for tracking the target’s progress in the app |
| 8d89d58361e9679263ae0edff41d3d38b448466868c13056b3ffcd88cbc02e79 | SHA256 | NGate malware (RemoteNFC) |
SparkKitty: A Silent Threat in ‘Trusted’ Apps