Smartphone banking has made life easier, but it has also opened new opportunities for cybercriminals. Over the years, we have witnessed Android malware steal passwords, intercept one-time passcodes (OTPs), and even take remote control of phones to deplete accounts. Some scams focus on fake banking apps, while others rely on phishing messages to trick users into entering sensitive details.
Security researchers have now identified a more advanced threat: a new Android malware named NGate, which allows criminals to access bank accounts by stealing NFC payment codes in real time. This means that thieves can withdraw cash from ATMs without the victim’s physical card. The discovery has been made by the Polish Computer Emergency Response Team (CERT Polska). This malware not only copies credit card details but also captures the fresh, one-time authentication codes generated by modern Visa and Mastercard chips when they are used for contactless payments.
To exploit this, attackers must first infect the victim’s phone. They typically send phishing messages that claim there is a problem with the user’s bank account, prompting them to download a fake banking app from an untrusted source. Once installed, the app guides the user through fake verification steps and requests permissions that allow it to access NFC activity. As soon as the user taps their phone or enters their PIN, the malware captures everything the ATM needs to validate a withdrawal. The one-time codes generated during the NFC transaction are valid for only a short time, so attackers must act quickly. After the data is captured, it is uploaded to a server controlled by the hackers. An accomplice can then use a device capable of mimicking a contactless card—such as another phone, a smartwatch, or custom NFC hardware—to perform the withdrawal at an ATM.
The entire process requires timing, planning, and deception. The victim is tricked into performing the transaction on their phone, which allows the malware to capture the necessary information. This makes the attack difficult to detect and even harder to reverse once the withdrawal is completed. To prevent such attacks, cybersecurity experts advise downloading apps only from official sources like Google Play, where built-in security checks can help identify and block malware. While these checks are not 100% foolproof, they offer an additional layer of protection. Users are also urged to enable two-factor authentication (2FA) for banking apps, use strong passwords, and keep their devices updated with the latest security patches.
Phishing attacks often lead users to fake websites or login pages that appear identical to the real thing, making it harder to distinguish between genuine and fraudulent sites. A password manager can help by saving credentials and filling in login details only when the site is authentic. If the password manager refuses to autofill, it may indicate a fake page. Cybercriminals are now leveraging the secure hardware features of modern payment systems, combining social engineering with these technologies. The malware does not break NFC security but instead tricks the user into performing a real transaction, capturing the one-time codes at that moment. The best way to defend against such threats is through awareness and following strict security practices, such as not downloading apps from outside the official Play Store.
With the growing sophistication of cyber threats, staying safe involves a mix of good digital habits and utilizing security tools that protect your phone and financial data. Experts warn that the threat of such attacks is increasing, and that vigilance is critical. By remaining cautious and following best practices, users can significantly reduce the risk of falling victim to malware like NGate.