New Android malware copies card data and PINs for instant ATM cashouts

A new Android-based spyware that leverages NFC technology to make illegal ATM cash withdrawals and empty victims’ bank accounts was examined by the Polish Computer Emergency Response Team (CERT Polska).

Researchers discovered that the software, known as NGate, allows attackers to use banking information stolen from victims’ phones to withdraw money from ATMs (Automated Teller Machines, or cash machines) without actually taking the cards.

NFC is a wireless technology that enables close-quarters communication between gadgets like terminals, cellphones, and payment cards. Therefore, rather of stealing your bank card, the attackers use a mobile phone infected with the NGate virus to record NFC (Near Field Communication) activities and send that transaction data to ATM equipment. Instead of being relayed just via radio, the stolen data in NGate’s situation is transmitted over the network to the attackers’ servers.

Read Also: Samsung June 2026 Security Update Rolls Out to Galaxy S25 Series, S25 Edge, and Galaxy Z Fold 7

There are several “flavors” of NFC. Some generate a static code, like the card that opens the door to my apartment complex. I can use a gadget like my “Flipper Zero” to open the door by just copying that type of signal. However, dynamic codes are used by sophisticated contactless payment cards, such as your Visa or Mastercard debit and credit cards. Your card’s chip creates a unique, one-time code (commonly referred to as a cryptogram or token) each time you use the NFC. This code is unique and cannot be reused.

That’s why the NGate malware is more advanced. It does more than just pick up a signal from your card. The victim must be duped into entering their PIN and completing a tap-to-pay or card-verification activity after the phone has been compromised. When that occurs, the app records every piece of information required for an NFC transaction, including the card number, new one-time codes, and other information created at that same moment.

All of the NFC data, including the PIN, is then immediately sent to the attacker’s handset via the virus. The attacker uses the codes right away to mimic your card at an ATM because they are newly produced and only valid for a brief period of time. The accomplice at the ATM displays the collected data using a card-emulating device, such as a phone, smartwatch, or bespoke hardware.

However, as you may guess, social engineering and preparation are necessary to be prepared at an ATM when the data arrives.

Attackers must first infect the victim’s device with malware. They usually send prospective victims phishing emails or SMS messages. They frequently try to create anxiety or urgency by claiming that there is a technical or security problem with their bank account. Occasionally, they make a follow-up call while posing as representatives of the bank. These calls or texts instruct victims to download a phony “banking” app from an unofficial source, like a direct link rather than Google Play.

After installation, the software requests permissions and guides users through fictitious “card verification” procedures. While an accomplice waits at an ATM to cash out, the objective is to persuade victims to act swiftly and trustingly.

Stay safe:

NGate only functions when your phone is compromised and you are duped into entering your PIN and starting a tap-to-pay action on the phony banking app. Therefore, the greatest defense against this infection is to protect your phone and be on the lookout for social engineering:

• Stick to trusted sources. Download apps only from Google Play, Apple’s App Store, or the official provider. Your bank will never ask you to use another source.
• Protect your devices. Use an up-to-date real-time anti-malware solution like Malwarebytes for Android, which already detects this malware.
• Do not engage with unsolicited callers. If someone claims to be from your bank, tell them you’ll call them back at the number you have on file.
• Ignore suspicious texts. Do not respond to or act upon unsolicited messages, no matter how harmless or urgent they seem.

Malwarebytes Mobile Security

Malwarebytes is an anti-malware software for Windows, macOS, ChromeOS, Android, and iOS that finds and removes malware.

Free

Play Store

Malwarebytes for Android detects these banking Trojans as Android/Trojan.Spy.NGate.C; Android/Trojan.Agent.SIB01022b454eH140; Android/Trojan.Agent.SIB01c84b1237H62; Android/Trojan.Spy.Generic.AUR9552b53bH2756 and Android/Trojan.Banker.AURf26adb59C19.