The cybersecurity community has focused its attention on NGate, a Android malware capable of cloning cards using NFC and relay that data to attackers to withdraw money from ATMs or pay at point-of-sale terminals. Following various investigations, active campaigns with very convincing impersonations of stores and banking apps have been observed, making NGate a particularly treacherous threat to mobile banking users.
This malicious software has been used in operations detected in Czechia and, more recently, Brazilwith combined tactics of smishing, social engineering, and distribution via progressive web apps (PWA/WebAPK) and pages that mimic Google Play. Although the vector changes from campaign to campaign, the objective remains the same: to capture NFC data and card PINs to execute withdrawals at ATMs without the physical card.
What is NGate and why is it so dangerous?
NGate is a Android specific malware Designed for financial fraud. Its key capability is abusing near-field communication (NFC) to copy the data from a bank card and emulate it from another device in the attacker's hands, who can then withdraw cash or make contactless payments.
Previous investigations detailed its use against customers of three Czech banks (including Czech Raiffeisenbank and ČSOB) and the existence of at least six variants with an appearance tailored to each entity. In parallel, recent reports describe a campaign aimed at Brazilian users with very elaborate impersonations of banks and e-commerce apps.
This malware was not listed in the official Google store: NGate was not distributed on Google PlayInstead, the criminals turned to WebAPKs and PWAs, as well as fake pages that mimicked the Play Store's aesthetics, increasing the deception with an "installation" experience very similar to the legitimate one.
Once on the device, NGate can ask the user to Activate NFC and enter the PINguiding you with screens that simulate real banking processes. Once that information is captured, everything is ready to remotely emulate the card and operate in ATMs or POS terminals, sometimes with the possibility of altering withdrawal limits if fraud requires it.
It is important to emphasize that the victim does not need root on their phone. The attacker's device, however, is usually rooted to freely run NFC relay tools. At the detection level, various providers have classified samples as Android/Spy.NGate.B o Android/Spy.NGate.BD, in addition to heuristics such as “HEUR:Trojan-Banker.AndroidOS.NGate.a”.
Campaigns and outreach: from Czechia to Brazil
NGate operators have combined smishing, social engineering and web apps Since at least November 2023 in the Czech Republic, initially with PWA/WebAPK and, from March 2024, with an evolution that deployed the Trojan itself for Android. This trajectory has been reflected in technical reports that connect phases and tools.
In Latin America, research in 2025 has documented a campaign focused on Brazil which uses sites that resemble the Google Play Store and replicate the visual identity of four major banks (Santander, Banco do Brasil, Itaú and Bradesco) and the e-commerce platform Mercado LivreThe goal, as before, is to install a malicious app with NFC cloning capabilities.
This campaign highlights that the malicious app uses the same package name observed in previous variants: com.billy.cardemvThis match links the pieces to families like NGate and PhantomCard already used in previous attacks, which indicates continuity and adaptation to the Brazilian public.
It has also been reported that the threat, initially recognized in Europe, It was later detected in Latin America.with specific records in Brazil. In some cases, the cash theft has occurred in the same region; in others, the perpetrators have been arrested during ATM withdrawals after emulating cards obtained with the NGate scam.
Mechanism of operation (from infection to effective)
The criminal plan combines several steps that, together, constitute a novel attack on the Android ecosystem. The following summarizes its flow with key milestones, where the NFC relay is the differentiating element:
1. Initial infection through phishing
It usually starts with a bait SMS that talks about everyday topics (like a statement of income or account issues), inviting you to open a link. That URL redirects to a fraudulent website that It imitates the bank or Google Play, from which the victim downloads and “installs” the supposedly legitimate app.
2. Installation of malicious applications
Attackers exploit PWAs or WebAPKs to give their services a native appearance. imposter appIn more advanced cases, the NGate-enabled package is installed on the phone, disguised with the target bank's icon and colors, to unnoticed.
3. Data collection
Upon opening the scam app, users are prompted to enter banking credentials and other personal data, as well as activate NFC. Data is collected card information (PAN, expiry date, PIN if entered by the user), device identifiers and personal identification elements.
4. Exploiting NFC through NFCGate
NGate incorporates or relies on NFCGateNFCGate, an academic tool published by the Secure Mobile Networking Lab at the Technical University of Darmstadt (Germany), allows capture and retransmit NFC traffic from one mobile phone to another through an intermediate server.
5. Data capture and retransmission
The victim places the card next to the phone following the instructions in the bank's app. The malware sniff the NFC exchange and sends it to the command and control (C2) server or directly to an attacker's device prepared for emulate the card risk management.
6. Unauthorized transactions
With the emulated card in their mobile phone, the criminal can carry out ATM withdrawals contactless or pay at point of sale terminalsIf the NFC connection fails, there is a plan B: diverting funds via Bank transfers, a less desirable alternative for attackers because it is more traceable.
Indicators of Engagement (IoC)
To facilitate detection and blocking, several Indicators of Compromise (IoCs) associated with these campaigns have been published. These include: domains, hashes, and discovery names linked to samples and the infrastructure used for deception:
- Detections: Android/Spy.NGate.B, Android/Spy.NGate.BD; HEUR:Trojan-Banker.AndroidOS.NGate.a (among others from different providers).
- Hash observado: 223D7AA925549C9C657C017F06CF7C19595C2CEE.
- Impersonating domains (hosted in page services): googleplay-santander.pagesdev, googleplay-bb.pagesdev, googleplay-itau.pagesdev, googleplay-mercadolivre.pagesdev, googleplay-bradesco.pagesdev.
- Additional infrastructure: 5a341dc1-98f9-4264-859a-e8bc6d236024-00-1vfeomyys26m9.janeway.replitdev.
- Package repeated in several variants: com.billy.cardemv.
If you work on response teams, it's a good idea to populate blocklists and SIEMs with these indicators and the related resolutions, and pivot from them to hunt for new iterations.
How NGate spreads: distribution tactics
The usual input on the device is the smishing (SMS with malicious links), combined with social engineering calls in which the actors impersonate bank support staff to “verify” transactions and force the user to enter the PIN or place the card on the mobile phone.
In addition to SMS, criminals use channels such as email with attachments or links, direct messages on social media, malicious ads, unauthorized downloads, unofficial software repositories, P2P networks, pirated content, “cracks” and fake updates which may include malware installers.
In some scenarios, malware families are capable of self-propagate on local networks or through removable devices (SD cards, USB drives), which requires taking extra precautions if resources are shared between devices.
Symptoms, damages and risks
NGate is designed to operate with low noise levelTherefore, in many cases, there are no clear signs of infection beyond subtle behaviors (network activity, unusual usage). The impact, however, is high: waste of money, exposure of personal data and risk of impersonation.
Since the technique allows emulate cards and make transactions Without contactless payments, users may not realize the transactions until they see them on their statement. That's why monitoring bank notifications and activating alerts is crucial. activity at ATMs and POS terminals, especially if NFC is used frequently.
Detection and elimination: what you can do
If you suspect an infection, run a test with a reputable antivirus solutionSome cleaning guides recommend using products like Combo Cleaner (requires a license for full features; has a 7-day limited trial), which can detect and uninstall many known variants.
A complete system scan is essential because the advanced malware It often hides deep within the device. After disinfection, consider rotating your banking credentials and reviewing transactions with your bank to... block fraud in progress.
To expandThere are previous technical analyses on the growing risks of NFC attacks on Android and the importance of Download apps from official storesIt's worth reviewing them if you manage fleets or perform mobile hardening.
Some financial CSIRTs have issued summary alerts They invite members to become members to access detailed information on correlation, mitigation, and monitoring. One of the emails provides contact information for direct communication with the team.
Quick guide on Android: hygiene, settings and restoration
Chrome: Clear browsing history and data
Open the Chrome menu (three dots), enter History and choose Clear browsing data. On the Advanced tab, select the time interval and the types of data you want to purge, and confirm by clicking Delete data.
Chrome: Disable annoying notifications
Go to Settings > Site settings > Notifications. Locate the sites that send notifications to your browser and click Clear and reset. If you revisit them, they may request permission again.
Chrome: Reset the app
In System settings > Apps > Chrome > Storage, enter Manage storageTap Delete all data and confirm. Remember that logins, history, and preferences not predetermined.
Firefox: Removes traces
Open the menu (three dots), enter History Then tap Delete private data. Select what you want to delete and confirm with DELETE DATA. clean up the Navigator.
Firefox: Cut off notifications
Visit the site that displays the alerts, tap the icon next to the URL, and press Edit site settingsSelect Notifications and confirm by clicking DELETE to remove them. permits.
Firefox: Reset the app
In System Settings > Applications > Firefox > Storage, tap DELETE DATA And confirm. Just like in Chrome, sessions, history, and adjustments personalized
Uninstall suspicious apps
In Settings > Apps, review the list and uninstall anything you don't recognize or use. If that doesn't work, try the Safe Mode to remove rogue applications that block their own removal.
Boot into Safe Mode
Press and hold the power button, tap Power Off, and then press and hold the icon again to bring it up. Safe ModeRestart in that mode and delete apps malicious who resist.
Check battery consumption
In Settings > Device Maintenance > BatteryReview your usage by app. High and sustained spending without explanation can be a red flag. activity malicious.
Monitor data usage
In Settings > Connections > Use of dataIt examines both mobile and Wi-Fi data. Unusual traffic from apps you don't use may indicate a problem. exfiltration.
Install the latest updates
In Settings > Software updateClick Download updates manually and apply any available patches. Also enable Download updates automatically to keep you up to date.
Evaluate restorations
In Settings > About phone > ResettingYou can reset only system options, only the network, or perform a factory resetNote: This last one completely erases the contents of the device.
Check apps with administrator privileges
In Settings > Lock screen and security > Other security settings > Device administrator apps, disable any app that shouldn't have permissions administration.
FAQs
Is it necessary to format the storage? To eradicate NGate? In most cases, no. A careful cleanup, uninstallation, and a good antivirus are usually enough. leave the device clean.
What damage can NGate cause?Besides emptying accounts through withdrawals and contactless payments, it can lead to privacy violations and give rise to identity theft through data exposure.
What is the main motivation?Economic gain predominates, although, as with other malware, there are also cases motivated by fun, revenge, hacktivism or political ends.
How does it sneak into Android?? Primarily through smishing and social engineering calls, but also through traditional channels: spam, unauthorized downloads, third-party repositories, P2P, cracks, fake updates and even propagation on local networks or removable media.
Does Combo Cleaner help protect me?It can detect and remove many known Android infections; running a scan is key. full scan because advanced threats often hide deep within the environment.
Key technical and operational features
- Not available on Google PlayThe campaigns use PWA/WebAPK and pages that mimic the store.
- Novel attack chain: phishing + social engineering + NFC relay with NGate/NFCGate.
- Scope of operation: documented activity since 2023 in Czechia; new campaigns in Brazil.
- No root access on the victimThe attacker's phone is usually rooted; the victim doesn't need it.
The findings show that NGate thoroughly exploits Android's NFC stack with the help of NFCGate, an academic project available on GitHub whose original purpose was research (capturing, analyzing and manipulating NFC traffic), but which is being misused here for ATM fraudThe combination with social tactics—where the victim is instructed to place the card on the mobile phone and enter the PIN—facilitates the completion of the attack. real timeThis duplicates the card to the attacker's device, allowing them to withdraw cash in a matter of minutes. At the first sign of trouble, it's advisable to activate response protocols, coordinate with the bank, change credentials, and reinforce safe download and browsing habits. close the door to future infections.
