Analysis of NGate malware campaign (NFC relay)

**CERT Polska analyzed NGate, an Android NFC-relay malware kit that—via phishing and bogus bank calls—tricks victims into sideloading an app which captures EMV card data and PINs (PAN, expiry, AIDs, APDUs) and exfiltrates them over a cleartext framed TCP protocol to a C2 (91.84.97.13:5653) so attackers can relay the session and withdraw cash from ATMs; the sample uses native code to XOR-decrypt config with the SHA-256 of the APK signing certificate and supports both reader (victim phone) and emitter (attacker phone/ATM) roles.**