NGate NFC Malware Steals Cash from ATMs by Relaying EMV Data and PINs from Victim’s Phone

The national incident response team CERT Polska has uncovered a new strain of Android-based NFC relay malware, dubbed NGate, that enables cybercriminals to withdraw cash from ATMs using victims’ own payment cards — without ever stealing the card physically.

According to CERT Polska, “the campaign is designed to enable unauthorized cash withdrawals at ATMs using victims’ own payment cards. Criminals don’t physically steal the card; they relay the card’s NFC traffic from the victim’s Android phone to a device the attacker controls at an ATM.”

The attack begins with a phishing and phone-based social engineering campaign that impersonates bank support representatives. Victims receive fake security alerts via email or SMS, claiming there is a “technical problem or a security incident.” The message leads to a phishing site prompting the user to download a malicious Android application.

As CERT Polska explains, “A scammer calls, posing as bank staff, to ‘confirm identity’ and to justify the app. The user also receives an SMS message confirming the identity of the alleged bank employee.”

The fraudulent app then instructs the victim to “verify their payment card directly within the app” by tapping the card against the phone (using NFC) and entering the PIN on a fake keypad interface.

“When the victim taps the card, the app captures the card’s NFC exchanges (the same data that flows at a terminal/ATM) and sends them over the internet to the attacker’s device standing at an ATM,” CERT Polska notes. “With the relayed card data + PIN, the attacker withdraws cash.”

The analyzed malicious APK registers itself as an Android Host Card Emulation (HCE) payment service, enabling it to act as a virtual card or reader. In CERT Polska’s analysis, “the app registers itself as a Host Card Emulation (HCE) payment service on Android (so it can behave like a virtual card).”

Once installed, the malware activates a native library (libapp.so) that decrypts its configuration from an embedded asset. The report explains that the malware’s command-and-control (C2) server address is encrypted and decrypted at runtime using a key derived from the app’s signing certificate:

“We decrypted that asset and recovered the live c2 endpoint: IP/port: 91.84.97.13:5653.”

The malware then establishes a TCP connection (unencrypted, tls=false) to this IP address, allowing real-time transmission of card data and PINs between the infected device and the attacker’s ATM relay terminal.

CERT Polska’s reverse engineering shows how the native code performs XOR decryption on configuration files, with the key derived from “the SHA-256 hash of the APK signing certificate.” This obfuscation helps the attackers hide critical parameters like server address, token, and connection mode.

When the victim taps a card, the malware uses Android’s NFC reader API to intercept EMV data — including the Primary Account Number (PAN), expiration date, and AID (Application Identifier). The malware’s CardData class serializes these values together with the PIN into a binary structure before exfiltration.

“The UI includes a PIN pad; the PIN is sent together with the NFC data to the attacker,” the CERT Polska report confirms.

The PIN-capture mechanism uses a custom keyboard component (PinCodeField) that immediately publishes the full PIN string once the fourth digit is entered. CERT Polska emphasizes that “once the required length is reached (default 4), it publishes the full PIN string to an internal event bus”, which is then sent via socket to the C2 in one hop.

The researchers found that NGate supports two operational roles — one to collect card data (reader mode) and one to emulate a payment card at the ATM (emitter mode).

This setup enables the attacker to relay EMV APDUs and PINs in real time between two devices — one interacting with the victim’s card, the other impersonating it at an ATM, effectively cloning the transaction session without needing to duplicate the physical card.

CERT Polska’s analysis of the network layer shows a simple, framed TCP protocol sending length-prefixed messages and cleartext payloads. Since TLS was disabled, “frames are easy to signature on the wire, and because tls=false, payloads are cleartext.”

The malware maintains a persistent connection via keepalive pings every seven seconds, ensuring the attacker’s relay stays synchronized while an ATM transaction occurs.

Related Posts:

• NFC Nightmare: New NGate Trojan Drains Bank Accounts via ATMs
• NGate Android Malware Steals NFC Payment Data at ATMs
• UNC1151 Exploits Roundcube Flaw in Spear Phishing Attack
• Smartwares Security Breach: Vulnerabilities Expose Cameras to Remote Takeover
• Ghost Tap: NFC Fraud Surge Linked to Chinese Cybercriminal Groups