#
BREAKING #
ESETresearch uncovered an active NGate Android malware campaign targeting Spanish speaking users, combining fake app distribution, NFC relay abuse, PIN harvesting, and a shared Devil NFC MaaS backend. The operation is tied to the Devil NFC infrastructure used in 🇪🇸 Spain since January 2026
Distribution: We identified a domain distributing NGate malware targeting Spanish speaking users, with sample uploaded to VirusTotal.
The malware is disguised as a NFC Security app called “Seguridad NFC – Bloqueador de Cargos” and delivered through a fake Google Play website:
piaystore.it[.]com
Domain was registered on 2026 04 18, resolving to 65.109.108[.]183
Shared infrastructure & MaaS:
The same IP (65.109.108[.]183) also hosts:
https://devilxclusive[.]lol
This domain exposes an admin panel branded “Devil NFC”, which appears to provide NGate as NFC MaaS, linking distribution and backend operations.
NGate functionality:
The app can exfiltrate SMS messages and load a phishing screen from its hardcoded C&C server, mimicking generic account lock warning and instructing victims to hold their payment card against the back of the smartphone and then enter the card’s PIN.
Both NFC data and PINs are exfiltrated to the C&C server.
Bank‑branded NFC phishing:
NGate supports custom bank‑branded NFC phishing templates, embedded at build time by the operator.
In this campaign, we observed templates impersonating Santander Bank, shifting from generic warnings to targeted bank abuse.
NFC relay:
The NFC relay server – to transfer NFC data - is dynamically returned via C&C and decrypted as 65.109.108[.]183:5568 — the same IP used for hosting and distribution.
Session & victim tracking:
NGate requests a session ID from C&C, receiving an incrementing value representing number of connections (e.g., "conexion_id": 854).
This appears to track successful C&C connections, not completed fraud.
Separately, when a victim submits their card PIN, the server returns another incrementing ID — 40 at analysis time — representing confirmed cases where victims tapped a card and entered their PIN.
Historical connection
We have identified that this activity targeteing Spanish speaking users directly connects to earlier Devil NFC MaaS campaigns impersonating:
• Jan 2026: Shein app
• Feb 2026: CaixaBank and Santander Protect, and Seguridad Integral
• Mar 2026: Unicaja Key distributed via SMS links and Dispositivo Seguro
• Apr 2026: Unicaja Protect, Seguridad NFC
Unicaja publicly warned customers about this campaign
x.com/UnicajaBanco/status/2033…Victimology:
We detected Caixabank Protect, Seguridad Integral, and Unicaja Key malicious apps in Feb and Mar 2026 on Android devices in Spain
IoCs:
IoCs are available in our GitHub repo:
github.com/eset/malware-ioc/tr…Indicators of Compromises (IOC) of our various investigations - eset/malware-ioc
GitHub
faebudo
in reply to Catalin Cimpanu • • •