Cybercriminals have quietly found a way to turn ordinary Android phones into remote skimmers that can drain cash from ATMs without ever touching a victim’s card. Instead of tampering with the machine, they hijack the phone’s near field communication, capture card data and PINs in real time, and relay that information to an accomplice standing at an ATM. The result is a new kind of heist where the victim walks away from a contactless payment, and minutes later their account is being emptied somewhere else.
What makes this attack so dangerous is not just the technical trick, but how seamlessly it blends into everyday smartphone banking and tap‑to‑pay habits. I am seeing a shift from crude phishing and fake banking apps to highly specialized Android malware that quietly watches NFC traffic, steals a PIN, and turns that data into instant cash withdrawals before anyone notices something is wrong.
From phone in your pocket to skimmer in your hand
The core of this scheme is simple: instead of installing hardware skimmers on ATMs, attackers infect Android phones and let the victims do the work. Once the malware is on a device, it waits for the user to make a contactless payment, then intercepts the card details and the PIN as they are entered. One campaign described in detail shows how Android malware steals your card details and PIN during NFC transactions and instantly forwards that data to the attacker’s device. Because the codes are transmitted in real time, the criminals can act before banks’ fraud systems have a chance to react.
Security researchers have traced this behavior to a family of Android banking malware that hooks into the operating system’s accessibility and NFC services. Once granted the right permissions, the malicious app can silently monitor what happens when the user taps their card or phone, capturing the NFC payload and any PIN entry screens. The malware then instantly sends all that NFC data, including the PIN, to the attacker’s device, turning a single tap at a supermarket terminal into a live feed for unauthorized ATM withdrawals.
The NFC relay trick that makes ATMs spit out cash
What elevates this threat from data theft to direct cash-out is the use of NFC relaying, sometimes referred to as an “NFCGate” style capability. Instead of just storing stolen card data, the malware relays near field communication traffic between the victim’s phone and a remote device controlled by the attacker. One technical analysis explains how this functionality, dubbed “NFCGate,” forwards NFC data between the infected phone and a second device that can be held against an ATM’s contactless reader, especially when used alongside the user’s PIN, to perform live withdrawals using the victim’s account details However, NFC relaying.
In practice, this means the attacker no longer needs to clone a physical card or guess static security codes. The malware turns the victim’s Android device into a live proxy that feeds the ATM exactly what it expects to see from a legitimate contactless card, including cryptographic data that is valid only for that moment. When a mobile device is infected with the NGate malware, attackers can capture the NFC activity, forward the transaction data to a second device, and then use that to open the ATM’s contactless door and complete a withdrawal, all while the victim believes they have simply made a routine payment When NFC activity is hijacked.
Inside NGate: the malware built for ATM theft
The most detailed reporting so far centers on a strain known as NGate, a piece of Android malware purpose built to bridge mobile payments and ATM cash-outs. Once NGate is installed, it prompts victims to enter their PIN under the guise of improving security or enabling new features, then quietly captures that code along with any NFC card data. Investigators found that NGate was used in a campaign targeting three Czech banks, where a group of cybercriminals used the malware to rob customers by combining stolen NFC data and PINs with remote devices at ATMs Android malware hit Czech banks.
NGate’s design shows how far Android banking malware has evolved from simple credential theft. Instead of just logging keystrokes or overlaying fake login screens, it integrates deeply with NFC services, intercepts contactless payment flows, and relays that information in real time to accomplices. Technical writeups describe how NGate prompts victims to enter their PIN and then uses that code alongside relayed NFC data to authorize ATM withdrawals, a level of sophistication that goes beyond any previously discovered Android malware focused on card theft Android malware uses NFC.
Why this attack is different from old-school skimming
Traditional ATM skimming relied on physical devices glued to card slots or hidden cameras aimed at keypads, which banks and customers eventually learned to spot. The new Android-based approach removes the need for any hardware on the machine itself, shifting the entire operation into software that lives on the victim’s phone. Security researchers have now discovered that attackers can infect a device, grant it the ability to read NFC activity, and then use that to read NFC activity at the exact moment a user taps for payment, turning the smartphone into the skimmer instead of the ATM Attackers can read NFC activity.
This shift has two major consequences. First, it makes the fraud much harder to detect, because there is no suspicious hardware for bank technicians to find and remove. Second, it allows criminals to scale their operations across borders, since the infected phones and the ATMs can be in different cities or even different countries. One investigation into Android malware that uses NFC to steal money at ATMs notes that the campaign’s primary goal is unauthorized ATM withdrawals, and that the relay technique is more advanced than any previously discovered Android malware targeting card data in this way Unauthorized ATM withdrawals.
TOAD scams and the social engineering that opens the door
The technical trick only works if attackers can first convince someone to install the malware, and that is where TOAD style scams come in. TOAD, short for “telephone oriented attack delivery,” blends phone calls, fake support messages, and malicious links to push victims into downloading a poisoned app or granting dangerous permissions. A detailed warning earlier this year described how a New Android Warning highlighted that This TOAD Malware Attack Steals Cash From ATMs, with the report explaining how victims were pressured over the phone to install a supposed security tool that was in fact Android malware designed for ATM theft New Android Warning, This TOAD Malware Attack Steals Cash From.
In these scenarios, the social engineering is as important as the code. Attackers pose as bank staff, tech support, or even law enforcement, insisting that the victim’s account is at risk and that they must install a specific app or enable remote access to “secure” their funds. Once the malicious app is in place, it can request accessibility rights, notification access, and NFC permissions that would look suspicious in any other context. By the time the victim realizes something is wrong, the malware has already captured their card details and PIN and passed them on for ATM withdrawals, turning a phone call into a direct pipeline to their cash.
Speed is the weapon: how thieves beat fraud systems
Modern banking systems are built to flag unusual activity, but the attackers behind this Android malware rely on speed to stay ahead of those defenses. As soon as the victim completes a contactless payment and enters their PIN, the malware forwards the data to an accomplice who is already waiting at an ATM. One investigation into how Android malware lets thieves access your ATM cash explains that the attackers rely on speed, using the brief window after a legitimate transaction to hit an ATM with the relayed NFC data before fraud detection systems can react to the pattern The attackers rely on speed.
This race against the clock is what turns a single tap into a full account drain. New Android banking malware is getting harder to spot as attackers refine their techniques, and some reports warn that New Android malware can empty your bank account in seconds once it has the right combination of NFC data and PIN. In practice, that means a victim might finish paying for groceries with their phone and, within minutes, see a series of ATM withdrawals they did not make, long before they have any chance to freeze their card or contact their bank New Android malware can empty your bank account.
How attackers get onto your phone in the first place
Behind every successful ATM cash-out is an earlier compromise of the victim’s Android device. Attackers typically rely on a mix of malicious apps, fake updates, and cleverly disguised tools that promise to boost performance or security. Some campaigns use phishing links that lead to sideloaded APK files, while others abuse third party app stores that lack the vetting of Google Play. Once installed, the malware asks for broad permissions that let it monitor notifications, overlay screens, and access NFC functions, all of which are essential to intercepting card data and PINs.
Smartphone banking has made life easier, but it has also expanded the attack surface for criminals who no longer need to target bank infrastructure directly. Reports on how Android malware lets thieves access your ATM cash note that attackers are now after your ATM cash by piggybacking on the same convenience features that make mobile payments attractive in the first place, such as tap to pay and integrated banking apps. By blending into that ecosystem, the malware can sit quietly until the perfect moment to capture a transaction and turn it into cash at an ATM Smartphone banking has made life easier.
Real-world fallout: banks, customers, and the Czech campaign
The NGate campaign against three Czech banks offers a concrete example of how damaging this malware can be once it is deployed at scale. Investigators found that a strain of malware built for Android devices was used by cybercriminals to rob three Czech banks in a coordinated operation that combined infected phones, NFC relaying, and accomplices at ATMs. Once NGate is installed, it can capture any PIN the victim enters on websites or in apps, as well as the NFC data from contactless payments, giving the attackers everything they need to perform unauthorized withdrawals without ever touching the victim’s physical card Android malware, Czech banks.
For banks, this kind of fraud is particularly challenging to investigate, because the ATM logs show a legitimate contactless transaction with valid cryptographic data, and the victim’s card was never cloned or physically present. For customers, the experience is even more disorienting, since they may have kept their physical card safe and still see their accounts drained. Some guidance aimed at victims of Android malware stresses the importance of contacting the bank through verified channels, keeping the physical card safe, and documenting any suspicious app downloads or permissions that might have enabled the attack in the first place Contact the bank through verified.
What you can do now to stay ahead of the threat
Defending against this kind of Android malware requires a mix of technical hygiene and behavioral caution. On the technical side, keeping your phone’s operating system and apps updated, avoiding sideloaded APKs, and sticking to trusted app stores are basic but essential steps. It is also worth reviewing which apps have access to NFC, accessibility services, and overlay permissions, since those are the capabilities most often abused to intercept card data and PINs. If an app that is not your bank or wallet is asking for such access, that should be treated as a red flag.
On the behavioral side, I recommend treating unsolicited calls or messages about your bank account as potential TOAD setups, especially if they pressure you to install an app or grant remote access. If you rely heavily on tap to pay, consider limiting NFC payments to a dedicated device or card, and monitor your account closely after each use. Some security advisories on Android malware that steals your card details and PIN emphasize that the malware then instantly sends all that NFC data, including the PIN, to the attacker’s device, which means early detection is critical to stopping a full account drain once the attack is underway Android malware steals your card details and PIN.
More from MorningOverview
