{“lastseen”:”2025-11-06T18:09:16″,”description”:”The Polish Computer Emergency Response Team (CERT Polska) analyzed a new Android-based malware that uses NFC technology to perform unauthorized ATM cash withdrawals and drain victims’ bank accounts.\\n\\nResearchers found that the malware, called NGate, lets attackers withdraw cash from ATMs (Automated Teller Machines, or cash machines) using banking data exfiltrated from victims’ phones\u2014without ever physically stealing the cards.\\n\\nNFC is a wireless technology that allows devices such as smartphones, payment cards, and terminals to communicate when they\u2019re very close together. So, instead of stealing your bank card, the attackers capture NFC (Near Field Communication) activity on a mobile phone infected with the NGate malware and forward that transaction data to devices at ATMs. In NGate\u2019s case the stolen data is sent over the network to the attackers\u2019 servers rather than being relayed purely by radio.\\n\\nNFC comes in a few \u201cflavors.\u201d Some produce a static code\u2014for example, the card that opens my apartment building door. That kind of signal can easily be copied to a device like my \u201cFlipper Zero\u201d so I can use that to open the door. But sophisticated contactless payment cards (like your Visa or Mastercard debit and credit cards) use dynamic codes. Each time you use the NFC, your card\u2019s chip generates a unique, one-time code (often called a cryptogram or token) that cannot be reused and is different every time.\\n\\nSo, that\u2019s what makes the NGate malware more sophisticated. It doesn\u2019t simply grab a signal from your card. The phone must be infected, and the victim must be tricked into performing a tap-to-pay or card-verification action and entering their PIN. When that happens, the app captures all the necessary NFC transaction data exchanged \u2014 not just the card number, but the fresh one-time codes and other details generated in that moment.\\n\\nThe malware then instantly sends all that NFC data, including the PIN, to the attacker\u2019s device. Because the codes are freshly generated and valid only for a short time, the attacker uses them immediately to imitate your card at an ATM; the accomplice at the ATM presents the captured data using a card-emulating device such as a phone, smartwatch, or custom hardware.\\n\\nBut, as you can imagine, being ready at an ATM when the data comes in takes planning\u2014and social engineering.\\n\\nFirst, attackers need to plant the malware on the victim\u2019s device. Typically, they send phishing emails or SMS messages to potential victims. These often claim there is a security or technical issue with their bank account, trying to induce worry or urgency. Sometimes, they follow up with a phone call, pretending to be from the bank. These messages or calls direct victims to download a fake \u201cbanking\u201d app from a non-official source, such as a direct link instead of Google Play.\\n\\nOnce installed, the app app asks for permissions and leads victims through fake \u201ccard verification\u201d steps. The goal is to get victims to act quickly and trustingly\u2014while an accomplice waits at an ATM to cash out.\\n\\n## How to stay safe\\n\\nNGate only works if your phone is infected and you\u2019re tricked into initiating a tap-to-pay action on the fake banking app and entering your PIN. So the best way to stay safe from this malware is keep your phone protected and stay vigilant to social engineering:\\n\\n * **Stick to trusted sources.** Download apps only from Google Play, Apple\u2019s App Store, or the official provider. Your bank will never ask you to use another source.\\n * **Protect your devices.** Use an up-to-date real-time anti-malware solution like Malwarebytes for Android, which already detects this malware.\\n * **Do not engage with unsolicited callers.** If someone claims to be from your bank, tell them you\u2019ll call them back at the number you have on file.\\n * **Ignore suspicious texts.** Do not respond to or act upon unsolicited messages, no matter how harmless or urgent they seem.\\n\\n\\n\\nMalwarebytes for Android detects these banking Trojans as Android\/Trojan.Spy.NGate.C; Android\/Trojan.Agent.SIB01022b454eH140; Android\/Trojan.Agent.SIB01c84b1237H62; Android\/Trojan.Spy.Generic.AUR9552b53bH2756 and Android\/Trojan.Banker.AURf26adb59C19.\\n\\n* * *\\n\\n**We don\u2019t just report on phone security\u2014we provide it**\\n\\nCybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.”,”published”:”2025-11-06T16:48:11″,”modified”:”2025-11-06T16:48:11″,”type”:”malwarebytes”,”title”:”Android malware steals your card details and PIN to make instant ATM withdrawals”,”source”:””,”references”:””,”id”:”MALWAREBYTES:A75D5C2717E7B51A6BB5DD4734F7E02B”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2025\/11\/android-malware-steals-your-card-details-and-pin-to-make-instant-atm-withdrawals”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-06T18:09:16″,”description”:”The Polish Computer Emergency Response Team (CERT Polska) analyzed a new Android-based malware that uses NFC technology to perform unauthorized ATM cash withdrawals and drain…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-25014","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n