Full Report
CERT Polska has observed new samples of mobile malware in recent months associated with an NFC Relay (NGate) attack targeting users of Polish banks.
Analysis Summary
# Tool/Technique: NGate (NFC Relay Malware Kit)
## Overview
NGate is a sophisticated mobile malware kit specifically designed to facilitate NFC Relay attacks targeting users of Polish banks. Its primary purpose is to enable unauthorized cash withdrawals at ATMs by intercepting and relaying the victim's payment card Near Field Communication (NFC) traffic, along with the entered PIN, to an attacker-controlled device at the ATM.
## Technical Details
- Type: Malware Family/Tool (Android NFC Relay Kit)
- Platform: Android
- Capabilities: Host Card Emulation (HCE) service implementation, NFC APDU capture, PIN capture, XOR-encrypted configuration storage, TCP-based command and control (C2) communication.
- First Seen: Recent months (prior to November 3, 2025, as per the article date).
## MITRE ATT&CK Mapping
This campaign utilizes techniques for initial access via social engineering and the subsequent establishment of control over payment capabilities.
- **TA0001 - Initial Access**
- T1588.002 - Obtain Capabilities: Acquire necessary tools or knowledge to bypass security controls (NGate kit).
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File: Luring victims into installing the malicious Android application via phishing links.
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel: Sending captured card data (PAN, expiry, AIDs, APDUs) and the PIN over a TCP connection to the attacker.
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols: Using a custom, framed TCP protocol for communication.
## Functionality
### Core Capabilities
- **NFC Data Capture (Reader Mode):** The primary function observed in the analyzed sample is capturing EMV Application Protocol Data Units (APDUs) when the victim taps their physical card against the compromised phone.
- **PIN Capture:** The application UI includes a virtual PIN pad, capturing the card PIN entered by the victim.
- **Data Exfiltration:** Captured PAN, expiry, AIDs, APDUs, and the PIN are sent to a hard-coded C2 server using a simple framed TCP protocol (`len|opcode|body`).
- **Configuration Obfuscation:** Stores server address and behavior hidden in an encrypted asset within the APK, using an XOR key derived from the APK signing certificate's SHA-256 hash.
### Advanced Features
- **Dual Role Capability (NFC Relay):** The malware family supports two roles:
1. **Reader Role:** Deployed on the victim's phone to capture data.
2. **Emitter Role:** Uses a fully declared `HostApduService` with a payment-category AID, capable of emulating a virtual card (HCE) to communicate with an ATM terminal.
- **Host Card Emulation (HCE):** The application registers itself as an HCE payment service, allowing it to mimic a virtual payment card when necessary (e.g., when used by the attacker at the ATM).
- **Native Helper Library:** The Java layer loads and verifies runtime configuration via a native library (`libapp.so`).
## Indicators of Compromise
- File Hashes:
- SHA-256: `2cee3f603679ed7e5f881588b2e78ddc`, `701e6905e1adf78e6c59ceedd93077f3`, `2cb20971a972055187a5d4ddb4668cc2`, `b0a5051df9db33b8a1ffa71742d4cb09`, `bcafd5c19ffa0e963143d068c8efda92`
- File Names: (Implicitly sideloaded via phishing distribution)
- Registry Keys: N/A (Mobile)
- Network Indicators:
- C2 Endpoint: `91[.]84[.]97[.]13:5653`
- Distribution Vector: `files[.]fm/u/yfwsanu886` (phishing link)
- Behavioral Indicators: Registration as an HCE service, forwarding inbound APDUs while returning empty responses (in Emitter role context).
## Associated Threat Actors
The report identifies this as a campaign observed by CERT Polska, targeting users of Polish banks. The specific threat actor group name is not provided in the context, but it operates using sophisticated social engineering coupled with custom mobile malware.
## Detection Methods
- **Signature-based detection:** Detection based on the known file hashes or unique strings within the decrypted configuration (if the XOR key is known).
- **Behavioral detection:** Monitoring for Android applications that request broad NFC permissions and attempt to register as a payment HCE service (`HostApduService`) while exhibiting non-standard network activity.
- **YARA rules:** Rules targeting the specific structure of the native library loading or the decrypted C2 communication protocol framing.
## Mitigation Strategies
- **Prevention:** Do not download bank applications from unofficial sources (phishing links). Only use official application stores (Google Play Store, App Store).
- **Hardening:** Be suspicious of unsolicited calls claiming to be from your bank; always hang up and initiate contact by calling the bank back using a known, official number to verify authenticity.
- **Security Practice:** Refrain from tapping physical payment cards to unknown applications or entering PINs through non-verified on-screen keypads during remote sessions.
## Related Tools/Techniques
- Other NFC Relay Kits (Though specifics are not detailed, this represents a specific implementation of dynamic NFC proxying).
- General Android banking trojans that utilize social engineering (`Man-in-the-Middle` over calls).