ESET researchers have identified a new Android malware called NGate, which is designed to steal payment card data via near-field communication (NFC) and facilitate unauthorized ATM withdrawals. Active since November 2023, NGate uses a sophisticated two-phase phishing campaign that tricks victims into installing a malicious app through deceptive messages about tax returns. Once installed, NGate captures victims' banking credentials and prompts them to place their cards near their phones, allowing attackers to relay NFC data to their devices. This malware exploits a modified version of NFCGate, originally intended for legitimate NFC research, to perform these attacks without needing to root the victim's device. The campaign has primarily targeted clients of three Czech banks and was disrupted after a suspect's arrest in March 2024. Notably, NGate was never available on the Google Play store, highlighting the risks associated with Android's open ecosystem.