A new strain of Android malware, dubbed NGate, has been found exploiting near-field communication (NFC) technology to drain cash from victims’ bank accounts — not by stealing cards, but by hijacking their digital signals. The attack, uncovered by CERT Polska, merges classic social engineering with advanced mobile exploitation to enable seamless ATM withdrawals in real time.
A Fraud That Begins With a Message
The NGate campaign begins not with code, but with conversation. Victims receive persuasive emails or text messages posing as alerts from their banks — warnings about “security issues” or “account verification.” The links lead to websites distributing a convincing but malicious Android application masquerading as “bank support” software.
Once installed, the app operates like any legitimate financial tool, adopting the look and feel of trusted institutions. Scammers reinforce credibility through follow-up phone calls posing as official representatives, even sending SMS messages to “confirm” employee identities.
It is only when victims are asked to “verify” their payment card by tapping it against their phone that the real attack begins. Beneath the surface, NGate quietly intercepts the card’s data and transmits it in real time to a remote server controlled by the attackers.
Inside the Technical Relay
CERT Polska’s forensic analysis revealed that NGate registers itself as a Host Card Emulation (HCE) service — a legitimate Android function that allows phones to act as virtual payment cards. The malware runs in “reader mode,” capturing the NFC signals that would normally pass securely between a contactless card and a payment terminal.
Once the card’s details are captured — including the Primary Account Number (PAN), expiry date, Application Identifiers (AIDs), and PIN — the app sends them to a command-and-control (C2) server over a custom TCP-based communication channel. Analysts decrypted the app’s internal configuration file to reveal the C2 address: 91.84.97.13:5653.
The malware’s core functions reside in a native library, libapp.so, responsible for decrypting stored configuration data and initializing network connections. Communication occurs in plaintext, with periodic “keep-alive” pings every seven seconds — a design choice that makes forensic tracking straightforward, but real-time detection difficult.
From Digital Theft to Physical Cash
Once activated, NGate allows criminals to replay captured NFC traffic at an ATM or point-of-sale terminal using a second device acting as the “emitter.” The victim’s phone acts as the reader, gathering card credentials; the attacker’s device acts as the card, transmitting that data at a distance.
This relay effectively clones the victim’s payment identity, allowing the attacker to emulate their card and withdraw cash without ever stealing it physically. CERT Polska’s analysis suggests that NGate’s architecture supports dual modes — reader and emitter — facilitating full end-to-end NFC relay attacks.
Unlike traditional malware that drains online wallets, NGate bridges the digital and physical worlds. In doing so, it transforms the smartphone into an unwitting proxy for live financial theft — a “contactless pickpocket” operating at network speed.
A Local Discovery With Global Lessons
While the campaign currently targets users of Polish banks, cybersecurity experts warn that NGate’s framework could be easily adapted for other markets, especially as contactless payments proliferate worldwide. The attack’s success relies not on exploiting software vulnerabilities but manipulating human trust — convincing victims to install an unverified app and follow instructions that feel routine.
CERT Polska has urged users to download only verified applications from official app stores and to contact their banks directly if asked to install additional “verification tools.”
