Security researchers from CERT Polska have identified a sophisticated Android-based malware campaign – NGate – that allows criminals to withdraw cash from ATMs using victims’ payment cards without physically taking the card.
This attack demonstrates how mobile devices and near-field communication (NFC) capabilities are being weaponised to facilitate highly targeted financial fraud across banking systems.
How the Attack Works
The NGate campaign blends social engineering, fake banking apps and NFC relay technology:
- Victims receive phishing SMS or email messages claiming a security problem with their bank account and are directed to install a fake banking app.
- Once installed, the malicious app asks the user to tap their payment card to the phone (using NFC) and enter their PIN for “verification”. The app registers itself as a Host Card Emulation (HCE) payment service.
- The app captures the victim’s NFC communications (card PAN, expiration date, AID, APDUs) and the entered PIN, then transmits them to a command and control (C2) server.
- The attackers then replay the captured NFC data and PIN at an ATM (or other terminal) using an attacker-controlled device emulating the card, and withdraw funds.
Why This Matters
- The attack bypasses the need to steal a physical card, combining mobile malware with in-person ATM access – a clear escalation in fraud capability.
- Financial institutions and customers across sectors such as banking, fintech, consumer payment services and retail with card-based operations are at risk.
- Standard mobile malware detection and payment system protections may not be sufficient against relay-based attacks that exploit legitimate NFC flows.
- Victims may not suspect malware, since the card still appears to work normally and withdrawal happens physically, often through a mule at an ATM.
Recommended Actions
- Require customers to download banking apps only from official app stores and verify the publisher identity.
- Encourage users to disable NFC when not needed and monitor devices for apps requesting unusual permissions (HCE, NFC).
- Implement transaction-monitoring for unusual card usage patterns – e.g., card not present at time of ATM withdrawal in the same region as device usage.
- Deploy mobile-threat detection solutions that can inspect for apps using HCE services and unusual network activity on Android devices.
- For banks and payment services: review authorization workflows for NFC transactions, verify device and session context, and use additional risk signals before permitting high-value withdrawals.
About COE Security
COE Security partners with organisations in financial services, healthcare, retail, manufacturing and government to secure AI-powered systems and ensure compliance. Our offerings include:
- AI-enhanced threat detection and real-time monitoring
- Data governance aligned with GDPR, HIPAA and PCI DSS
- Secure model validation to guard against adversarial attacks
- Customised training to embed AI security best practices
- Penetration Testing (Mobile, Web, AI, Product, IoT, Network & Cloud)
- Secure Software Development Consulting (SSDLC)
- Customised CyberSecurity Services
In response to threats like NGate, COE Security offers mobile malware threat-hunting, NFC-relay risk assessments, banking-app supply-chain review, and transaction-fraud modelling for payment services. Follow COE Security on LinkedIn for ongoing insights into safe, compliant AI adoption and to stay updated and cyber safe.