How Android malware lets thieves access your ATM cash

Angry Android mascot on top a broken phone

Smartphone banking has made life easier, but it has also opened new opportunities for cybercriminals. Over the past few years, we have seen Android malware steal passwords, intercept OTPs, and even take remote control of phones to drain accounts. Some scams focus on fake banking apps, while others rely on phishing messages that trick you into entering sensitive details.

Security researchers have now discovered a new threat that goes a step further. Instead of simply stealing login information, this malware gives thieves the ability to walk up to an ATM and withdraw your money in real time.

 

 

A person is using an Android phone

 

How the NGate malware works

The Polish Computer Emergency Response Team (CERT Polska) discovered a new Android malware called NGate that uses NFC activity to access a victim’s bank account. This malware monitors contactless payment actions on the victim’s phone and forwards all transaction data, including the PIN, directly to a server controlled by attackers. It does not just copy card details. Instead, it waits until the victim taps to pay or performs a verification step, then captures the fresh, one-time authentication codes that modern Visa and Mastercard chips generate.

To pull this off, attackers need to infect the phone first. They typically send phishing messages claiming there is a security problem with the victim’s bank account. These messages often push people to download a fake banking app from a non-official source. Once the victim installs it, the app walks them through fake verification prompts and requests permissions that allow it to read NFC activity. As soon as the victim taps their phone or enters their PIN, the malware captures everything the ATM needs to validate a withdrawal.

Pixel is on a table

 

What attackers do with the stolen data at the ATM

The attackers rely on speed. The one-time codes generated during an NFC transaction are valid for only a short period. As soon as the infected phone captures the data, the information is uploaded to the attacker’s server. An accomplice waits near an ATM, holding a device capable of emulating a contactless card. This could be another phone, a smartwatch, or custom NFC hardware.

When the data arrives, the accomplice presents the card-emulating device at the ATM. Since the information contains fresh, valid authentication codes and the correct PIN, the machine treats it like a real card. The ATM authorizes the withdrawal because everything appears to match a legitimate transaction. All of this happens without the criminal ever touching the victim’s physical card. Everything depends on timing, planning, and getting the victim to unknowingly complete the transaction on their own phone.

A person is using a phone

 

7 steps you can take to stay safe from Android NGate malware

As attacks like NGate become more sophisticated, staying safe comes down to a mix of good digital habits and a few simple tools that protect your phone and your financial data.

 

1) Download apps only from the Play Store

Most malicious banking apps spread through direct links sent in texts or emails. These links lead to APK files hosted on random servers. When you install apps only from the Play Store, you get Google’s built-in security checks. Play Protect regularly scans apps for malware and removes harmful ones from your device. However, it is important to note that Google Play Protect may not be enough. Historically, it isn’t 100% foolproof at removing all known malware from Android devices. Even if attackers send convincing messages, avoid installing anything from outside the official store. If your bank wants you to update an app, you will always find it on the Play Store.

 

2) Use strong antivirus software

One careless tap on a fake bank alert can hand criminals everything they need. Strong antivirus software can stop most threats before they cause damage. It scans new downloads, blocks unsafe links, and alerts you when an app behaves in ways that could expose your financial data. Many threats like NGate rely on fake banking apps, so having real-time scanning turned on gives you an early warning if something suspicious tries to install itself.

One of the top solutions we recommend is Norton Antivirus Plus, which extends protection beyond just traditional virus scanning. While iPhones have strong built-in security, Norton adds an important extra layer by helping block malicious websites, phishing links, and unsafe downloads before they can cause harm. If you accidentally tap a bad link in an email, text message, or social media post, Norton helps prevent access to known dangerous sites using its continuously updated threat intelligence. If you are interested in a strong antivirus with phone customer service, we recommend Norton Antivirus Plus. This product includes:
  • Strong real-time protection against viruses, malware, ransomware and hacking attempts
  • AI-powered scam protection to help identify suspicious emails, texts and websites
  • Built-in password manager to securely store and manage logins
  • 2 GB PC cloud backup to help protect important files from ransomware or hardware failure
  • Smart firewall and phishing protection
COVERAGE
  • Protects 1, 3 or 5 devices
  • Available for Windows, macOS, Android and iOS
  • Includes real-time threat protection, smart firewall and phishing protection to guard against online attacks
EXCLUSIVE CYBERGUY DEAL: 58% off (year 1) Please note that the above product is the core antivirus product. Norton may try to upsell additional products, but we don’t recommend them. We encourage you to decline those offers.

 

3) Keep your device and apps updated

Security patches fix vulnerabilities that attackers use to hijack permission settings or read sensitive data. Updates also improve how Android monitors NFC and payment activity. Turn on automatic updates for both the operating system and apps, especially banking and payment apps. A fully updated device closes many of the holes that malware tries to exploit.

 

4) Use a password manager to avoid phishing traps

Phishing attacks often direct you to fake websites or fake app login pages that look identical to the real thing. A password manager saves your credentials and fills them in only when the website or app is authentic. If it refuses to autofill, it is a clear sign that you are on a fake page. Consider using a password manager to generate and store complex passwords.

Next, see if your email has been exposed in past breaches. Our #1 pick, NordPass, includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.

One of the best password managers out there is NordPass. It is secure, user-friendly, and uses zero-knowledge architecture with military-grade XChaCha20 encryption to protect your data. NordPass works across Windows, macOS, Linux, Android, iOS, and major browsers and includes features like:
  • Unlimited password storage
  • Secure sharing
  • Password health reports
  • Auto-fill and emergency access
  • Data breach monitoring to alert you if your credentials have been exposed
  • A Security Dashboard with tools like the Data Breach Scanner and Password Health Checker to identify weak, reused, or compromised passwords
Use NordPass to check if your email or passwords have shown up in known data breaches, and take immediate action if they have.
 
CyberGuy Exclusive Deal: Save 52% now with CyberGuy’s exclusive NordPass offer – Get 1 extra month FREE with a 2-year plan. Try 30 days risk-free for only $1.43 per month!

 

5) Turn on two-factor authentication for all financial services

Two-factor authentication gives you a second layer of protection, even if your password is compromised. App-based authenticators are more secure than SMS codes because they cannot be intercepted as easily. For banking apps, enabling 2FA adds friction for attackers trying to perform unauthorized actions. Combined with strong passwords from a password manager, it significantly reduces the chance of account takeover.

 

6) Ignore suspicious texts, emails, and calls

Attackers rely on urgency to trick you. They often claim that your card is blocked, your account is frozen, or a payment needs verification. These messages push you to act fast and install a fake app. Always pause and check your bank’s official channels. Contact the bank through verified customer care numbers or the official app. Never click links or open attachments in unsolicited messages, even if they look legitimate.

 

7) Review app permissions

Most people install apps and forget about them. Over time, unused apps pile up with unnecessary permissions that increase risk. Open your phone’s permission settings and check what each app can access. If a simple tool asks for access to NFC, messages, or accessibility features, uninstall it. Attackers exploit these excessive permissions to monitor your activity or capture data without your knowledge.

 

Related Links:

 

Kurt’s key takeaway

Cybercriminals are now combining social engineering with the secure hardware features inside modern payment systems. The malware does not break NFC security. Instead, it tricks you into performing a real transaction and steals the one-time codes at that moment. This makes the attack difficult to spot and even harder to reverse once the withdrawal goes through. The best defense is simple awareness. If a bank ever urges you to download an app from outside the Play Store, treat it as an immediate warning sign. Keeping your phone clean is now as important as keeping your physical card safe.

Have you ever downloaded an app from outside the Play Store? Let us know in the comments below.

FOR MORE OF MY TECH TIPS & SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE

 

 

Copyright 2025 CyberGuy.com. All rights reserved. CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.