How Android Malware Lets Thieves Access Your ATM Cash

NEWNow you can listen to News articles!

Smartphone banking has made life easier, but it has also opened up new opportunities for cybercriminals.

In recent years, we’ve seen Android malware steal passwords, intercept OTPs, and even take remote control of phones to drain accounts. Some scams focus on fake banking apps, while others rely on phishing messages that trick you into entering sensitive details.

Security researchers have now discovered a new threat that goes one step further. Instead of simply stealing login information, this malware offers thieves the ability to walk up to an ATM and withdraw your money in real time.

Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.

Android malware like NGate tricks users into downloading fake banking apps that steal sensitive data. (Kurt “CyberGuy” Knutsson)

How NGate malware works

The Polish Computer Emergency Response Team (CERT Polska) discovered a new Android malware called NGate that uses NFC activity to access the victim’s bank account. This malware monitors contactless payment actions on the victim’s phone and forwards all transaction data, including the PIN, directly to a server controlled by the attackers. It is not limited to copying the card data. Instead, it waits until the victim taps to pay or performs a verification step, then captures the new unique authentication codes generated by modern Visa and Mastercard chips.

To achieve this, attackers must infect the phone first. They typically send phishing messages claiming that there is a security issue with the victim’s bank account. These messages often prompt people to download a fake banking app from an unofficial source. Once the victim installs it, the app guides them through fake verification messages and requests permissions that allow it to read NFC activity. As soon as the victim touches their phone or enters their PIN, the malware captures everything the ATM needs to validate a withdrawal.

MANAGE ANDROID APPS WITH THE NEW ‘UNINSTALL’ BUTTON

Once installed, the malware captures NFC codes and payment PINs the moment the victim uses their phone. (Kurt “CyberGuy” Knutsson)

What attackers do with stolen ATM data

Attackers rely on speed. Single-use codes generated during an NFC transaction are valid for a short period only. As soon as the infected phone captures the data, the information is uploaded to the attacker’s server. An accomplice waits near an ATM with a device capable of emulating a contactless card. It could be another phone, a smartwatch, or custom NFC hardware.

When the data arrives, the accomplice presents the card emulated device at the ATM. Since the information contains new, valid authentication codes and the correct PIN, the machine treats it as a real card. The ATM authorizes the withdrawal because everything appears to correspond to a legitimate transaction. All of this happens without the criminal ever touching the victim’s physical card. It all depends on timing, planning, and getting the victim to unknowingly complete the transaction on their own phone.

A man holds a Google phone, powered by Android

Criminals use stolen, time-limited codes at an ATM to make real withdrawals without the victim’s card. (Kurt “CyberGuy” Knutsson)

7 steps you can take to stay safe from Android NGate malware

As attacks like NGate become more sophisticated, staying safe comes down to a combination of good digital habits and a few simple tools that protect your phone and financial data.

1) Download apps only from Play Store

Most malicious banking apps spread through direct links sent in text messages or emails. These links lead to APK files hosted on random servers. When you install apps only from the Play Store, you get Google’s built-in security controls. Play Protect regularly scans apps for malware and removes harmful ones from your device. However, it is important to note that Google Play Protect may not be enough. Historically, it is not 100% foolproof to remove all known malware from Android devices. Even if attackers send convincing messages, avoid installing anything from outside the official store. If your bank wants you to update an app, you will always find it in the Play Store.

2) Use powerful antivirus software

A careless touch on a fake bank alert can give criminals everything they need. Powerful antivirus software can stop most threats before they cause damage. It scans new downloads, blocks unsafe links, and alerts you when an app behaves in ways that could expose your financial data. Many threats like NGate rely on fake banking apps, so having real-time scanning turned on gives you an early warning if something suspicious tries to install itself.

Get my picks for the best antivirus protection winners of 2025 for your Windows, Mac, Android, and iOS devices at Cyberguy.com.

ATM ‘JACKPOTTING’ CRIME WAVE GROWS AFTER THIEVES WALK AWAY WITH HUNDREDS OF THOUSANDS IN CASH

3) Keep your device and apps up to date

The security patches fix vulnerabilities that attackers use to hijack permission settings or read sensitive data. The updates also improve the way Android monitors NFC and payment activity. Turn on automatic updates for both the operating system and apps, especially banking and payment apps. A fully updated device closes many of the holes that malware tries to exploit.

4) Use a password manager to avoid phishing traps

Phishing attacks often direct you to fake websites or fake app login pages that look identical to the real thing. A password manager saves your credentials and fills them in only when the website or app is authentic. If it refuses to autocomplete, it is a clear sign that you are on a fake page. Consider using a password manager to generate and store complex passwords.

Next, check to see if your email has been exposed in previous breaches. Our #1 pick for password manager includes a built-in breach scanner that checks to see if your email address or passwords have appeared in known breaches. If you discover a match, immediately change any reused passwords and protect those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2025 at Cyberguy.com.

5) Activate two-factor authentication for all financial services

Two-factor authentication gives you a second layer of protection, even if your password is compromised. App-based authenticators are more secure than SMS codes because they cannot be intercepted as easily. For banking applications, enabling 2FA adds friction for attackers trying to perform unauthorized actions. Combined with strong passwords from a password manager, it significantly reduces the chance of account takeover.

6) Ignore suspicious texts, emails and calls

Attackers rely on urgency to trick you. They often claim that your card is blocked, your account is frozen, or that a payment needs to be verified. These messages urge you to act quickly and install a fake application. Always pause and consult your bank’s official channels. Contact the bank through the verified customer care numbers or the official app. Never click on links or open attachments in unsolicited messages, even if they look legitimate.

7) Review app permissions

Most people install apps and forget about them. Over time, unused apps accumulate with unnecessary permissions that increase risk. Open your phone’s permissions settings and check what each app can access. If a simple tool requests access to NFC, messaging, or accessibility features, uninstall it. Attackers take advantage of these excessive permissions to monitor your activity or capture data without your knowledge.

Kurt’s Key Takeaway

Cybercriminals now combine social engineering with secure hardware features within modern payment systems. The malware does not violate NFC security. Instead, it tricks you into making a real transaction and steals the single-use codes at that time. This makes the attack difficult to detect and even more difficult to reverse once the retreat is made. The best defense is simple awareness. If a bank ever urges you to download an app from outside the Play Store, treat it as an immediate warning sign. Keeping your phone clean is now just as important as keeping your physical card safe.

Have you ever downloaded an app outside of the Play Store? Let us know by writing to us at Cyberguy.com.

CLICK HERE TO DOWNLOAD THE News APP

Kurt “CyberGuy” Knutsson is an award-winning technology journalist with a deep love for technology, gear and devices that improve lives with his contributions to News and News Business since mornings on “News & Friends.” Do you have any technical questions? Get Kurt’s free CyberGuy newsletter, share your voice, a story idea or comment on CyberGuy.com.

Breaking News

Wellness Expert Reveals Surprising Health Benefits of Daily Cold Exposure: ‘Big Difference’

Family calls for help as teen faces life-threatening bone marrow failure

Japanese PM makes surprising comment about Barron Trump at White House dinner

Americans Think Trump Will Send Troops to Iran and They Really Don’t

Republican senator pokes holes in Trump’s latest attack on Gavin Newsom with a simple question

GOP bill would make women drink

Former and current NHL star Sarah Palin Beau blames the team

Rick Pitino Joins ‘Thank You NYPD’ Campaign Ahead of St John’s March Madness Opener

Former MLB outfielder Larry Stahl, best known for blowing a perfect game, dies at 84

Diana Taurasi reacts to the verbal agreement of the WNBA and the players’ union on a new collective bargaining