New NGate Malware Lets Hackers Drain ATMs Remotely

An Android-based NFC relay attack, NGate, has emerged targeting banking customers in Poland.

Analysts from CERT Polska report that NGate allows attackers to perform unauthorized cash withdrawals at ATMs without physically stealing payment cards.

Instead, the malware leverages advanced social engineering and technical exploitation to intercept and relay NFC payment data between victims’ smartphones and attacker-controlled devices.

How the NGate Attack Works

Unlike traditional card skimming or cloning methods, NGate relies on Near Field Communication (NFC) relaying. 

The operation begins with a targeted phishing campaign. Victims receive fraudulent messages via email or SMS that appear to come from their bank, often warning of “technical issues” or “security incidents.” 

These messages direct users to install a malicious banking application disguised as legitimate software.

Once installed, the malware’s operators follow up with phone calls impersonating bank representatives, adding a layer of credibility to the scam. 

The caller instructs the victim to verify their identity by tapping their physical payment card against their phone and entering their PIN on a fake on-screen keypad.

This action activates the NGate malware’s Host Card Emulation (HCE) functionality, which allows the phone to behave as a virtual payment card. 

As soon as the card is tapped, the malware captures and transmits all NFC data to the attacker’s command-and-control (C2) server.

Technical Breakdown of the Attack

The technical sophistication of NGate lies in its ability to relay live payment sessions. 

Once the victim’s card and PIN data are transmitted to the attacker’s infrastructure, a second device — controlled by the attacker and positioned near an ATM — replays that data to complete real-time transactions. This effectively tricks the ATM into believing the attacker’s device is the victim’s legitimate payment card.

The malware is built with encrypted configuration data hidden within the application’s assets. 

This data, which contains the C2 server address, is protected using SHA-256 hashing of the APK’s signing certificate as an XOR key. 

The encryption key is dynamically derived through JNI function calls that interact with Android’s PackageManager, making static analysis more difficult.

The malware communicates using cleartext TCP connections with a framed protocol that defines length markers and operation codes. During these exchanges, NGate captures sensitive payment information, including:

• Primary Account Number (PAN)
• Expiration date
• Application Identifiers (AIDs)
• Application Protocol Data Units (APDUs)

The captured PIN is then immediately exfiltrated through separate protocol messages, providing attackers everything they need to withdraw cash.

Why NGate Represents a New Class of Banking Threats

NGate exemplifies a hybrid attack that merges social engineering with advanced technical exploitation. 

The attack does not rely on local card cloning or direct skimming hardware — instead, it hijacks the contactless transaction flow by manipulating mobile devices already trusted by the victim.

As contactless payments become standard across banking ecosystems, attackers are exploiting the trust gap between users, mobile platforms, and financial institutions.

Mitigations and Protection Measures

While banks and security vendors continue to analyze NGate, users can reduce their exposure by following some key security fundamentals:

• Install apps only from trusted sources like the Google Play Store or your bank’s official site — never from links in messages.
• Verify bank communications by contacting your bank directly instead of responding to unsolicited calls or texts.
• Never share your PIN or tap your card to verify identity — legitimate banks won’t request this.
• Check app permissions and avoid installing those requesting NFC, admin, or overlay access.
• Turn off NFC when unused to prevent unauthorized wireless data transfers.
• Use reputable mobile security software to detect malicious or suspicious apps.
• Report any suspicious activity immediately to your bank and freeze affected cards.

By staying cautious with app installations, verifying communications, and maintaining strong device security, users can greatly reduce their risk of NGate-style attacks and other emerging mobile banking threats.

NGate demonstrates the growing complexity of mobile payment fraud, where attackers combine human manipulation and technical exploitation to bypass physical security controls. 

As AI becomes more frequently used in attacks, users must remain vigilant and adopt safe digital habits.