CERT Polska has recently uncovered a sophisticated Android malware family dubbed NGate, designed to perform NFC relay attacks targeting Polish bank customers. This campaign demonstrates a concerning evolution in mobile financial fraud — leveraging Host Card Emulation (HCE) to relay payment data from victims’ phones to attacker-controlled ATMs, effectively allowing unauthorized cash withdrawals without ever stealing the physical card.
The attack begins with phishing messages sent via email or SMS, impersonating banks and urging users to install a fake “security” or “support” app. In some cases, victims also receive follow-up calls from fake bank representatives to reinforce credibility. Once installed, the malicious app registers itself as a payment service using Android’s HostApduService, enabling it to capture and transmit card data during contactless (NFC) operations. Victims are prompted to tap their real bank card against the phone and input their PIN. The captured NFC exchange and PIN are then transmitted to the attacker’s device positioned at an ATM, where the same data is replayed to withdraw cash instantly.
This campaign follows the broader trend of NFC abuse and relay-based fraud, previously seen in other banking trojans. Unlike overlay-based attacks, which rely on fake UI screens, NGate operates entirely below the user interface — using legitimate Android payment mechanisms for malicious intent. This represents a new frontier in device-level financial fraud, where malware can directly impersonate the victim’s physical card at an ATM.
Zimperium’s Mobile Threat Defense (MTD) and Mobile Runtime Protection (zDefend) detect all known variants of NGate in a zero-day fashion by our on-device dynamic detection engine, ensuring full protection for end users and enterprises alike.
As more mobile malware leverages legitimate platform features like NFC and HCE for malicious purposes, the line between legitimate app behavior and active fraud continues to blur. Campaigns like NGate highlight the growing need for on-device threat detection and runtime protection — technologies capable of understanding and responding to attacks that operate within Android’s normal permission and payment frameworks.
Enterprises, financial institutions, and mobile payment providers should remain vigilant, ensuring both user devices and payment apps are protected against HCE-based abuse.