A sophisticated Android-based NFC relay attack dubbed NGate has emerged as a serious threat to banking security across Poland, targeting financial institutions and their customers through coordinated social engineering and technical exploitation.
Cert.PL analysts identified new malware samples in recent months that orchestrate unauthorized ATM cash withdrawals without requiring physical theft of payment cards.
Rather than stealing cards directly, threat actors employ a relay mechanism that captures NFC communication from victims’ Android phones and forwards it to attacker-controlled devices positioned at ATMs.
The attack chain combines multiple deception tactics to succeed. Victims initially receive phishing messages via email or SMS claiming technical problems or security incidents, directing them to install a fake banking application.
Following installation, scammers impersonate bank employees through phone calls requesting identity verification, further legitimizing the fraudulent application.
The victim is then prompted to tap their physical payment card against the phone for verification purposes while entering their PIN through an on-screen keypad.
Cert.PL analysts noted the sophisticated technical architecture underlying NGate’s operations.
Once the victim taps their card, the malware captures all NFC exchanges identical to legitimate terminal communications and transmits them to the attacker’s C2 server operating at IP 91.84.97.13:5653.
.webp "NGate Malware Enables Unauthorized Cash Withdrawals at ATMs Using Victims’ Payment Cards 3")
The attacker’s device then replays this data to the ATM, and with both the card information and PIN already compromised, they execute unauthorized cash withdrawals.
Infection mechanism
The infection mechanism reveals advanced evasion techniques. The application registers itself as a Host Card Emulation (HCE) payment service on Android, enabling it to function as a virtual card.
Configuration data containing the C2 server address remains hidden in an encrypted asset bundled within the application.
This encryption employs the SHA-256 hash of the APK signing certificate as an XOR key, derived through JNI function calls that retrieve certificate data from the Android PackageManager.
Technical analysis shows the app establishes cleartext TCP connections using a framed protocol structure containing length markers and opcodes.
The malware captures card data including PAN, expiration dates, AIDs, and APDUs before immediately exfiltrating PIN information through dedicated protocol messages.
Users can protect themselves by downloading banking applications exclusively from official stores and verifying unexpected bank calls through direct contact with their financial institution.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
