How Android malware lets thieves access your ATM cash

NEWYou can now listen to Fox News articles!

Smartphone banking has made life easier, but it has also opened new opportunities for cybercriminals.

Over the past few years, we have seen Android malware steal passwords, intercept OTPs and even take remote control of phones to drain accounts. Some scams focus on fake banking apps, while others rely on phishing messages that trick you into entering sensitive details.

Security researchers have now discovered a new threat that goes a step further. Instead of simply stealing login information, this malware gives thieves the ability to walk up to an ATM and withdraw your money in real time.

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter.

How the NGate malware works

The Polish Computer Emergency Response Team (CERT Polska) discovered a new Android malware called NGate that uses NFC activity to access a victim’s bank account. This malware monitors contactless payment actions on the victim’s phone and forwards all transaction data, including the PIN, directly to a server controlled by attackers. It does not just copy card details. Instead, it waits until the victim taps to pay or performs a verification step, then captures the fresh, one-time authentication codes that modern Visa and Mastercard chips generate.

To pull this off, attackers need to infect the phone first. They typically send phishing messages claiming there is a security problem with the victim’s bank account. These messages often push people to download a fake banking app from a non-official source. Once the victim installs it, the app walks them through fake verification prompts and requests permissions that allow it to read NFC activity. As soon as the victim taps their phone or enters their PIN, the malware captures everything the ATM needs to validate a withdrawal.

MANAGE ANDROID APPS WITH THE NEW ‘UNINSTALL’ BUTTON

What attackers do with the stolen data at the ATM

The attackers rely on speed. The one-time codes generated during an NFC transaction are valid for only a short period. As soon as the infected phone captures the data, the information is uploaded to the attacker’s server. An accomplice waits near an ATM, holding a device capable of emulating a contactless card. This could be another phone, a smartwatch or custom NFC hardware.

When the data arrives, the accomplice presents the card-emulating device at the ATM. Since the information contains fresh, valid authentication codes and the correct PIN, the machine treats it like a real card. The ATM authorizes the withdrawal because everything appears to match a legitimate transaction. All of this happens without the criminal ever touching the victim’s physical card. Everything depends on timing, planning and getting the victim to unknowingly complete the transaction on their own phone.

A man holds a Google phone, powered by Android

7 steps you can take to stay safe from Android NGate malware

As attacks like NGate become more sophisticated, staying safe comes down to a mix of good digital habits and a few simple tools that protect your phone and your financial data.

1) Download apps only from the Play Store

Most malicious banking apps spread through direct links sent in texts or emails. These links lead to APK files hosted on random servers. When you install apps only from the Play Store, you get Google’s built-in security checks. Play Protect regularly scans apps for malware and removes harmful ones from your device. However, it is important to note that Google Play Protect may not be enough. Historically, it isn’t 100% foolproof at removing all known malware from Android devices. Even if attackers send convincing messages, avoid installing anything from outside the official store. If your bank wants you to update an app, you will always find it on the Play Store.

2) Use strong antivirus software

One careless tap on a fake bank alert can hand criminals everything they need. Strong antivirus software can stop most threats before they cause damage. It scans new downloads, blocks unsafe links and alerts you when an app behaves in ways that could expose your financial data. Many threats like NGate rely on fake banking apps, so having real-time scanning turned on gives you an early warning if something suspicious tries to install itself.

Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices at Cyberguy.com.

ATM ‘JACKPOTTING’ CRIME WAVE GROWS AFTER THIEVES WALK AWAY WITH HUNDREDS OF THOUSANDS IN CASH

3) Keep your device and apps updated

Security patches fix vulnerabilities that attackers use to hijack permission settings or read sensitive data. Updates also improve how Android monitors NFC and payment activity. Turn on automatic updates for both the operating system and apps, especially banking and payment apps. A fully updated device closes many of the holes that malware tries to exploit.

4) Use a password manager to avoid phishing traps

Phishing attacks often direct you to fake websites or fake app login pages that look identical to the real thing. A password manager saves your credentials and fills them in only when the website or app is authentic. If it refuses to autofill, it is a clear sign that you are on a fake page. Consider using a password manager to generate and store complex passwords.

Next, see if your email has been exposed in past breaches. Our No. 1 password manager pick includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2025 at Cyberguy.com.

5) Turn on two-factor authentication for all financial services

Two-factor authentication gives you a second layer of protection, even if your password is compromised. App-based authenticators are more secure than SMS codes because they cannot be intercepted as easily. For banking apps, enabling 2FA adds friction for attackers trying to perform unauthorized actions. Combined with strong passwords from a password manager, it significantly reduces the chance of account takeover.

6) Ignore suspicious texts, emails and calls

Attackers rely on urgency to trick you. They often claim that your card is blocked, your account is frozen, or a payment needs verification. These messages push you to act fast and install a fake app. Always pause and check your bank’s official channels. Contact the bank through verified customer care numbers or the official app. Never click links or open attachments in unsolicited messages, even if they look legitimate.

7) Review app permissions

Most people install apps and forget about them. Over time, unused apps pile up with unnecessary permissions that increase risk. Open your phone’s permission settings and check what each app can access. If a simple tool asks for access to NFC, messages, or accessibility features, uninstall it. Attackers exploit these excessive permissions to monitor your activity or capture data without your knowledge.

Kurt’s key takeaway

Cybercriminals are now combining social engineering with the secure hardware features inside modern payment systems. The malware does not break NFC security. Instead, it tricks you into performing a real transaction and steals the one-time codes at that moment. This makes the attack difficult to spot and even harder to reverse once the withdrawal goes through. The best defense is simple awareness. If a bank ever urges you to download an app from outside the Play Store, treat it as an immediate warning sign. Keeping your phone clean is now as important as keeping your physical card safe.

Have you ever downloaded an app from outside the Play Store? Let us know by writing to us at Cyberguy.com.

Read the full article here