
A new Android-based spyware that leverages NFC technology to make illegal ATM cash withdrawals and empty victims’ bank accounts was examined by the Polish Computer Emergency Response Team (CERT Polska).
Researchers discovered that the software, known as NGate, allows attackers to use banking information stolen from victims’ phones to withdraw money from ATMs (Automated Teller Machines, or cash machines) without actually taking the cards.
NFC is a wireless technology that enables close-quarters communication between gadgets like terminals, cellphones, and payment cards. Therefore, rather of stealing your bank card, the attackers use a mobile phone infected with the NGate virus to record NFC (Near Field Communication) activities and send that transaction data to ATM equipment. Instead of being relayed just via radio, the stolen data in NGate’s situation is transmitted over the network to the attackers’ servers.
There are several “flavors” of NFC. Some generate a static code, like the card that opens the door to my apartment complex. I can use a gadget like my “Flipper Zero” to open the door by just copying that type of signal. However, dynamic codes are used by sophisticated contactless payment cards, such as your Visa or Mastercard debit and credit cards. Your card’s chip creates a unique, one-time code (commonly referred to as a cryptogram or token) each time you use the NFC. This code is unique and cannot be reused.
That’s why the NGate malware is more advanced. It does more than just pick up a signal from your card. The victim must be duped into entering their PIN and completing a tap-to-pay or card-verification activity after the phone has been compromised. When that occurs, the app records every piece of information required for an NFC transaction, including the card number, new one-time codes, and other information created at that same moment.

All of the NFC data, including the PIN, is then immediately sent to the attacker’s handset via the virus. The attacker uses the codes right away to mimic your card at an ATM because they are newly produced and only valid for a brief period of time. The accomplice at the ATM displays the collected data using a card-emulating device, such as a phone, smartwatch, or bespoke hardware.
However, as you may guess, social engineering and preparation are necessary to be prepared at an ATM when the data arrives.
Attackers must first infect the victim’s device with malware. They usually send prospective victims phishing emails or SMS messages. They frequently try to create anxiety or urgency by claiming that there is a technical or security problem with their bank account. Occasionally, they make a follow-up call while posing as representatives of the bank. These calls or texts instruct victims to download a phony “banking” app from an unofficial source, like a direct link rather than Google Play.
After installation, the software requests permissions and guides users through fictitious “card verification” procedures. While an accomplice waits at an ATM to cash out, the objective is to persuade victims to act swiftly and trustingly.
Stay safe:
NGate only functions when your phone is compromised and you are duped into entering your PIN and starting a tap-to-pay action on the phony banking app. Therefore, the greatest defense against this infection is to protect your phone and be on the lookout for social engineering:
- Stick to trusted sources. Download apps only from Google Play, Apple’s App Store, or the official provider. Your bank will never ask you to use another source.
- Protect your devices. Use an up-to-date real-time anti-malware solution like Malwarebytes for Android, which already detects this malware.
- Do not engage with unsolicited callers. If someone claims to be from your bank, tell them you’ll call them back at the number you have on file.
- Ignore suspicious texts. Do not respond to or act upon unsolicited messages, no matter how harmless or urgent they seem.
Malwarebytes for Android detects these banking Trojans as Android/Trojan.Spy.NGate.C; Android/Trojan.Agent.SIB01022b454eH140; Android/Trojan.Agent.SIB01c84b1237H62; Android/Trojan.Spy.Generic.AUR9552b53bH2756 and Android/Trojan.Banker.AURf26adb59C19.

Google Pixel 9

Google Pixel Watch 4
Keep Reading
The Huawei Nova 17 Air is beginning to take shape in leaks, with the latest report pointing to a possible debut window of late November or early December this year. If accurate, it would mark the first Airy-branded model in the Nova lineup. Weibo leaker SuperDimensional reported that the Huawei Nova 17 Air, also referred […]

Early Geekbench results for the Snapdragon 6 Gen 5 show almost no CPU improvement over the Snapdragon 6 Gen 4, with the older chip actually edging it out in single-core performance. GPU gains look more promising, sitting around 20%, but raw processing power appears to be largely unchanged. Typically, when a company like Qualcomm releases […]

New software launches rarely go off without a hitch, and Android 17 is proving no different. Shortly after the update rolled out, Pixel owners began reporting connectivity problems — specifically, losing access to 5G entirely after installing the update. Reports surfaced on the Google Pixel subreddit, with multiple users across different device generations describing the […]

Huawei’s next Kirin 5G chipsets for the Mate 90 series are expected to deliver a meaningful performance step up over the 2025 versions, driven by a shift away from Moore’s Law toward Tau’s Scaling Law. According to a new leak, HarmonyOS 7 is being developed with this architectural shift in mind. Weibo leaker @FixedFocus reports […]

The Honor X70 Pro Max has arrived without any formal launch event, slipping onto the market with a focus on durability, battery endurance, and a capable Qualcomm chipset. The phone comes in four color options: Phantom Purple, Sunburst Gold, Bamboo Rhythm Green, and Phantom Night Black. It measures 161.9 x 76.1 x 7.76mm and weighs […]

If Samsung Messages is still the default texting app on a Galaxy phone, July is going to require some attention. The app is being deactivated for US users, and texts, RCS conversations, and message history stored inside it won’t move anywhere on their own. Everything is transitioning to Google Messages – and while the migration […]






Comments & Discussions
Join the conversation! We use Disqus to handle comments. Click the button below to load the comment section.