NGate Malware Enables Unauthorized Cash Withdrawals at ATMs Using Victims’ Payment Cards

NGate represents a sophisticated Android-based threat that exploits NFC technology to enable unauthorized ATM cash withdrawals without physically stealing payment cards.

Rather than stealing cards outright, threat actors use an ingenious relay attack that intercepts the card’s NFC communications from a victim’s Android phone and transmits them to an attacker-controlled device positioned at an ATM, bypassing traditional security measures and enabling fraudulent transactions.

The NGate campaign initiates through carefully orchestrated social engineering tactics designed to lower victim vigilance.

Targets receive phishing messages via email or SMS claiming to address technical problems or security incidents, with links directing victims to fraudulent pages that encourage installation of what appears to be a legitimate banking application.

Samples analyzed show malicious APKs distributed through file-hosting services, creating multiple distribution pathways.

The attack intensifies when threat actors pose as bank staff through phone calls, creating a false sense of authority and legitimacy.

These scammers claim to “confirm identity” and justify the need for the malicious application. To reinforce credibility, victims simultaneously receive SMS messages appearing to confirm the caller’s identity as an alleged bank employee—a coordinated deception that significantly increases the likelihood of successful compromise.

Once installed, the application prompts victims to verify their payment card directly within the app interface. This crucial step requires placing the physical card against the phone’s NFC reader and entering the card’s PIN using an on-screen keypad.

This seemingly routine verification process becomes the pivotal moment where compromise occurs, as the malware captures the card’s complete NFC data exchange—the identical information that flows during legitimate ATM transactions.

NFC Relay and C2 Communication

The NGate malware registers itself as a Host Card Emulation (HCE) payment service on Android, enabling the phone to behave as a virtual payment card.

The malware’s server address and operational parameters remain hidden within an encrypted asset bundled with the application, decrypted using a key derived from the APK’s signing certificate SHA-256 hash.

Analysis of captured samples revealed a live C2 infrastructure endpoint at IP 91.84.97.13 on port 5653. When victims tap their card, the malware captures all NFC exchanges and transmits them alongside the entered PIN to the attacker’s C2 server or directly to an attacker-controlled device positioned at an ATM.

The attacker then replays this card data combined with the PIN to the ATM terminal, bypassing authentication mechanisms and withdrawing cash.

The communication protocol uses a simple framed format consisting of frame length (4 bytes), opcode (4 bytes), and message body. Notably, this sample transmitted traffic over plaintext TCP without TLS encryption, making interception straightforward for network analysts tracking the threat.

Protecting Against NGate and Similar Threats

Organizations and individuals should implement immediate mitigation strategies. Download banking applications exclusively from official app stores—Google Play Store or Apple App Store—as these platforms maintain security review processes that reduce malicious application distribution.

Additionally, never provide personal information over phone calls received unsolicited; instead, hang up and independently call your bank using numbers from official statements or websites. This verification method definitively confirms caller authenticity and prevents social engineering success.

Banking institutions should alert customers about NGate through security communications and educate users on this evolving threat landscape.

Indicators of Compromise

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.